X-Frame-Options not working IIS web.config

iis x-frame-options
Moi Hawk picture Moi Hawk · Aug 14, 2014 · Viewed 79.5k times · Source

Our site is not currently safe from clickjacking, so I went into the web.config and added

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="DENY" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

This is very straight forward code. My issue is that it's just not working. The questions I have are:

  1. Is there a way for me to see if the X-Frame-Options is in the header response? I looked for it with httpfox and got nothing, so I can't verify if the web.config is actually putting things in the header.
  2. Why is this not working? What can I do to test or move forward?

I did try to add it in the Global.asax in the Application_Start method, but I cant seem to "hit" this method when I debug; it does not hit breakpoints. 

private void Application_Start(object sender, EventArgs e)
{
    // Code that runs on application startup
    HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");

    LogHelper.Info("Cost of Care Web Application Starting");
}

I would like to add that I have tried to add it straight into the head tag and I've also tried to add it in a meta tag like so 

<meta http-equiv="X-Frame-Options" content="deny">

Answer

Voltur picture Voltur · Mar 15, 2016

The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:

  1. Open Internet Information Services (IIS) Manager.
  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
  3. Double-click the HTTP Response Headers icon in the feature list in the middle. enter image description here
  4. In the Actions pane on the right side, click Add.
  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN or DENY in the Value field. enter image description here
  6. Click OK to save your changes.

Related questions

Disable x-frame-options in MVC3 or IIS 7.5

I want to disable x-frame-options in my website, I want that no other website can show my webpages in their web pages using iframes. My website is made in ASP.net MVC3 and hosted in IIS 7.5.

Read More
Config Error: This configuration section cannot be used at this path

I've encountered an error deploying a site to a server. When trying to load the home page, or access authentication on the new site in IIS, I get the error: Config Error: This configuration section cannot be used at this …

Read More
How to create .pfx file from certificate and private key?

I need .pfx file to install https on website on IIS. I have two separate files: certificate (.cer or pem) and private key (.crt) but IIS accepts only .pfx files. I obviously installed certificate and it is available in certificate …

Read More