(Semi-OT) Clickjacking countermeasure

c0nw0nk nginx-forum at forum.nginx.org
Thu Sep 22 20:57:28 UTC 2016


If you read the OWASP page it will also mention about header stripping etc
and proxies that will remove the X-Frames headers there is no real way to
stop proxies framing your site but the X-Frame-Options combined with that
JavaScript is a good way to start it will stop the majority.

Also break their proxies is what I like to do.

For example I combine it with not allowing people to browse with JavaScript
disabled. (this is good for adverts too since ads use JavaScript so why
would you let people browse with JavaScript disabled ?)

<head>
<noscript><meta http-equiv="refresh" content="0;
URL=//www.networkflare.com/error.html"/></noscript>
</head>

There are some proxies that will still get through for example this one
shows persistence but block their IP's and problem solved
https://www.hidemyass.com/proxy

Posted at Nginx Forum: https://forum.nginx.org/read.php?2,269763,269776#msg-269776



More information about the nginx mailing list