Protecting Your Website From ClickJacking


Summary

This article provides information on how to Protect your Website from ClickJacking.

Applies To

This article applies to MachPanel v6 and above.

Steps and Procedure

To protect website from clickjacking, it is required to append a Content Security Policy header to the HTTP response with frame-ancestors directive sent by web server.

Custom header can be added to a website in IIS as shown below.

 

 

Inside ‘Value’ for ‘frame-ancestors’ multiple values can be specified separated by white space like below

Frame-ancestors ‘self’ ‘https://*.jquery.com’ ‘https://www.example.com’ ‘https://*.providesupprot.com’;

For Machpanel add as below

frame-ancestors ‘self’ ‘https://*.duosecurity.com’ ‘https://app.powerbi.com’

References

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors

https://content-security-policy.com/

https://portswigger.net/web-security/cross-site-scripting/content-security-policy