Any config tricks to stop site from framing us?

Francis Daly francis at daoine.org
Tue Dec 3 21:39:12 UTC 2013


On Tue, Dec 03, 2013 at 04:13:03PM -0500, Ian Evans wrote:

Hi there,

> Yesterday, I discovered that someone had registered a site (basically 
> taking our domain name and adding a word to it) and then framed our 
> whole site in theirs. By that I mean it's a full iframe job, with no 
> toolbars showing.

nginx sees the http request coming from the client.

Look at the http headers that you see getting to your nginx, when you
request your site directly.

Look at the http headers that you see getting to your nginx, when you
go to their site.

Play "spot the difference".

Most likely, the only some-bit reliable difference is in the Referer:
header. But maybe you can see something else, when you use the browsers
that you care about.

> Not sure what they're up to, but I'd like to stop it. I know I can use 
> a framebuster, but I'm wondering what I can do on the nginx.conf end to 
> stop them dead in their tracks so not an ounce of our bandwidth goes to 
> them.

You can't, reliably.

You can, for browsers that send a Referer: header of their site, return
different content -- either a simple rejection using something like
http://nginx.org/r/valid_referers; or tailored content that indicates
what you think of the framing site, or whatever else you can imagine.

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list