Any config tricks to stop site from framing us?
Ian Evans
ianevans at digitalhit.com
Tue Dec 3 21:49:55 UTC 2013
On 2013-12-03 16:39, Francis Daly wrote:
> On Tue, Dec 03, 2013 at 04:13:03PM -0500, Ian Evans wrote:
>
> Hi there,
>
>> Yesterday, I discovered that someone had registered a site
>> (basically
>> taking our domain name and adding a word to it) and then framed our
>> whole site in theirs. By that I mean it's a full iframe job, with no
>> toolbars showing.
>
> nginx sees the http request coming from the client.
>
> Look at the http headers that you see getting to your nginx, when you
> request your site directly.
>
> Look at the http headers that you see getting to your nginx, when you
> go to their site.
>
> Play "spot the difference".
>
> Most likely, the only some-bit reliable difference is in the Referer:
> header. But maybe you can see something else, when you use the
> browsers
> that you care about.
>
>> Not sure what they're up to, but I'd like to stop it. I know I can
>> use
>> a framebuster, but I'm wondering what I can do on the nginx.conf end
>> to
>> stop them dead in their tracks so not an ounce of our bandwidth goes
>> to
>> them.
>
> You can't, reliably.
>
> You can, for browsers that send a Referer: header of their site,
> return
> different content -- either a simple rejection using something like
> http://nginx.org/r/valid_referers; or tailored content that indicates
> what you think of the framing site, or whatever else you can imagine.
>
Thanks for the info. I'll have to take a look. I'm also hoping to get
them shut down as I've talked to their registrar. I'm hoping they
grabbed a whole bunch of domains to vampire and not just mine. If it was
just us, that'd be creepy
More information about the nginx
mailing list