ClickJacking 対策

OWASP ZAP(Zed Attack Proxy)でペネトレーションテストを行ったWebサイトにて、以下のアラートが検出された。

アラート X-Frame-Options header not set
Risk Informational
Reliablity Warning
Description X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks
Solution Most modern Web browsers support the X-Frame-Options HTTP header, ensure it’s set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it’s part of a FRAMESET) then you’ll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY.
Reference http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx?Redirected=true

Continue reading