Securing my ASP.net MVC3 Website aganist “Click jacking”

Question

Recently I was flipping through some security issues faced by websites. Fortunately come across a new term \"Click jacking\"

I understood that this attack happens on

Answer 1

Just put following code under <system.webServer> section in web.config file

<httpProtocol>
  <customHeaders>
    <add name="X-Frame-Options" value="DENY"/>
  </customHeaders>
</httpProtocol>

NOTE : The X-Frame-Options header may contain one of three tokens.You either add any of these.Each one has its own significance.

• DENY
• SAMEORIGIN
• ALLOW-FROM origin

For details visit MSDN blog : Combating ClickJacking With X-Frame-Options

Answer 2

In your Global.asax you can add the following

protected void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("x-frame-options", "SAMEORIGIN");
}

Answer 3

Have a look at this:

https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options#Configuring_Apache

It's basically a response header sent out on all responses. You can code your site to do this for each individual page, but a better approach, if you are able to edit the configuration for JUST YOUR SITE, is to handle it there...

Both APACHE and IIS should have options for this - the IIS one seems to be here:

http://support.microsoft.com/kb/2694329