Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Jason 92 posts 175 karma points
    Jun 06, 2017 @ 10:43
    Jason
    0

    Suppressing anti-forgery X-Frame options header in the global.asax weakens security despite setting X-Frame options in Web.config?

    Our MVC5 application contains a partial view that renders a Html.AntiForgeryToken on all pages using the Master.cshtml.

    On pages where we render another form, and another Html.AntiForgeryToken, on form submission an exception is thrown:

    Server cannot append header after HTTP headers have been sent.
    

    To avoid the exception, within the Global.asax App_Start we can specify:

    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
    

    Our concern here is we're enabling others to embed our website as an iFrame, and enabling 'ClickJacking'?

    The above mentioned occurs regardless of us also using Umbraco 7.6.1 which requires we specify within our Web.config (otherwise we're unable to Republish entire site:

    <httpProtocol>
     <customHeaders>
      <remove name="X-Powered-By" />
      <add name="X-Frame-Options" value="SAMEORIGIN" />
     </customHeaders>
    </httpProtocol>
    

    Is there an alternative to this contradictive configuration? Are we weakening security?

  • Jason 92 posts 175 karma points
    Jun 12, 2017 @ 15:35
    Jason
    0

    Would really appreciate assistance

  • Dave Woestenborghs 3504 posts 12135 karma points MVP 9x admin c-trib
    Jun 12, 2017 @ 17:14
    Dave Woestenborghs
    0

    Hi Jason,

    We also use the config setting in the web.config. We didn't have to do anything special to get forms working.

    Maybe you can post the code of how you render the form ?

    Dave

  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Jun 13, 2017 @ 06:52
    Jeffrey Schoemaker
    2

    Hi Jason,

    if you have a Html.AntiforgeryToken() on your page it will automatically add a X-Frame-Options-header with the value of "SameOrigin". The only weird thing is that if you have for example five forms on your page you will get a header that contains the value "SameOrigin, SameOrigin, SameOrigin, SameOrigin, SameOrigin"; so five times that value. In my opinion that is a bug in .NET and MVC.

    The workaround is exactly as you commented already.

    1) Add in the Global.asax.cs the line:

    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
    

    2) Specify the X-Frame-Options-header in the web.config

    <add name="X-Frame-Options" value="SAMEORIGIN" />
    

    If you do these two thing, everything will work fine; you'll get the correct headers and you don't have to worry about 'Clickjacking'.

    Regards,

    Jeffrey

  • Jason 92 posts 175 karma points
    Jun 14, 2017 @ 10:08
    Jason
    0

    Thanks Jeffrey. Could you point me to a resource that confirms your reassurance about clickjacking?

  • Jeffrey Schoemaker 408 posts 2138 karma points MVP 8x c-trib
    Jun 14, 2017 @ 10:35
    Jeffrey Schoemaker
    1

    Hi Jason,

    not really, but if you just check the headers that have been sent (by using the developer tools for example in Chrome) you can verify that the header is sent correctly.

    See for example this page; https://www.perplex.nl/en/expertise/umbraco-cms/. If you check it in the Developer tools you will see the header, thus it's working, thus it's protecting you from clickjacking:

    enter image description here

    Another way is using this website; https://securityheaders.io/.

    Hope this helps,

    Jeffrey

  • Jason 92 posts 175 karma points
    Jun 14, 2017 @ 12:30
    Jason
    0

    Hi Jeffrey, just the evidence I was looking for - thank you. Jason

Please Sign in or register to post replies

Write your reply to:

Draft