ClickJacking With IIS

Report · Apr 13, 2015

Are ColdFusion's clickjacking filter options (Clickjacking issue - adding multiple url patterns in a single filter mapping) needed if using Internet Information Services' (IIS) HTTP Response Header option setting X-Frame-Options? Is ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation?

Report · Apr 15, 2015

Clickjacking is a client side event so "ColdFusion (Java) interpretation of page IFRAME content occurring independently of IIS web server's interpretation" would not be a issue -- assuming any of this is going on, which I cannot fathom how it would be. You can set the X-Frame-Options header value in either IIS or your CF application using CFHeader. If both IIS and CF sets the value, I'm fairly certain the client will receive two header entries and while ugly, as long as they don't conflict with each other I think you're fine. Does that answer your question?

Report · Apr 15, 2015

Is my understanding of your response correct? Web site sends a directive to the client (browser) declaring client should not accept content into IFRAME from anywhere else than the host site? It is up to the client (browser) to handle rejecting any "foreign" (URL path) information within the IFRAME?

Report · Apr 15, 2015

Correct.

Report · Apr 15, 2015

X-Frame-Options: DENY is the easiest and most widely used option to prevent clickjacking but there are other client side scripting options as well. See Clickjacking - OWASP

Report · Apr 15, 2015

Then setting the web server to issue the directive is a more complete method. It covers both ColdFusion applications in addition to any other web site (/application) pages.

Thanks for enlightening me on this web environment process!

ClickJacking With IIS

1 Correct answer

Photos