You can understand what clickjacking is here, but i highly recommend you get noscipt first. It is a plug-in for the Firefox browser, that gives you control over which sites are allowed to run Javascript, and other potentially dangerous scripts. It is an excellent security tool for web users, and its completely free!
Now, to protect a website…
Well, there are countless ways to implement protection against clickjacking for your website or web app. The site must simply send its “permissions” via the x-frame-options header. The value SAMEORIGIN tells the browser that it is ok to render in an iframe on the same website. The value DENY tells the browser not to render inside any iframes. Although the users browser must perform the check, most current browsers support it.
Depending on the way your website is configured, implementing this may or may not be so easy, or efficient.
I wanted to show how easy it can be to do so for a PHP application, built using the Zend Framework MVC setup, by using a simple front controller plugin. The plugin hooks into the routeStartup call of the dispatcher.
/**
* Common_Plugin_FrontController_ClickJackSecure
*
* file: /AppName/application/plugins/FrontController/ClickJackSecure.php
*
* note: register this plugin with the front controller (in your bootstrap file, generally)
* also, if autoloading, this assumes a "Common" namespace is defined
* (if you are not using modules, this may need to be Default_, etc.)
*
* @author Jesse Fry (www.jesseafry.com)
*/
class Common_Plugin_FrontController_ClickJackSecure extends Zend_Controller_Plugin_Abstract
{
public function routeStartup(Zend_Controller_Request_Abstract $request)
{
$this->getResponse()->setHeader('x-frame-options', "SAMEORIGIN");
//could also use "DENY" to prevent all
}
}
Now, you just need to register the plugin with the front controller. This is usually done in your bootstrap file.
/* ... */
class Bootstrap extends Zend_Application_Bootstrap_Bootstrap
{
/* ... */
/**
* Add frontController plugins
*/
protected function _initFrontControllerPlugins()
{
$this->bootstrap('frontController');
$controller = $this->frontController;
$controller->registerPlugin(new Common_Plugin_FrontController_ClickJackSecure());
}
/* ... */
Of course, you could always change the scope of certain portions of the site by checking the request…
/* ... */
class Common_Plugin_FrontController_ClickJackSecure extends Zend_Controller_Plugin_Abstract
{
public function routeStartup(Zend_Controller_Request_Abstract $request)
{
# allow news and events widgets to bypass (dont set x-frame-options)
if ( in_array($request->getModuleName(), array('default', 'news', 'events'))
&& $request->getControllerName() == "widgets" ) {
$this->getResponse()->setHeader('x-frame-options', "SAMEORIGIN");
} else {
$this->getResponse()->setHeader('x-frame-options', "DENY");
}
}
}
Comments are closed.