Clickjacking protection through X-Frame-Options and STS

Events happening in the community are now at Drupal community events on www.drupal.org.
perusio's picture
Posted by perusio on August 16, 2010 at 4:20am

Hello everyone,

I've used extensively the configurations available at github by omega8cc and yhager. I've added a few things myself and I will share it on github soon.

One of the things I added is clickjacking protection through the X-Frame-Options header. This is supported in modern browsers and also on IE8. Mozilla Dev Center explanation of this header.

The best thing is to add in your server context:

add_header X-Frame-Options sameorigin;

Replace sameorigin by deny to disable framing in all domains including your own.

There's also Strict Transport Security for SSL/TLS connections.
It forces the connection to be through HTTPS and disable any HTTP only requests. Paypal implements it on their HTTPS only site. Here's an example. Force HTTPS on all requests during 2 hours (7200 seconds).

add_header Strict-Transport-Security max-age = 7200;

I really like the idea of using HTTPAuth to protect install.php and other Drupal sensitive files in yhager's configuration.

Categories: , ,

Comments

Interesting. Thanks for the

Posted by brianmercer on August 16, 2010 at 12:23pm
brianmercer's picture

Interesting. Thanks for the info.

Thanks for sharing

Posted by omega8cc on August 19, 2010 at 9:27pm
omega8cc's picture

Please let us know when your repo will be available so we can add it to the "Nginx for Drupal configuration projects on GitHub" list in the group header.

It's also implemented in

Posted by p0deje on June 4, 2011 at 10:04am
p0deje's picture

It's also implemented in Security Kit module - http://drupal.org/project/seckit

Nginx

Group organizers

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds: