umbraco | security | aspnet

Enable Click-Jacking Protection - Umbraco

If your site is allowed to be IFRAMEd by another site and thus would be susceptible to click-jacking. This can be prevented by setting X-Frame-Options header or CSP. Setting X-Frame-Options explained in this article.

Abhith Rajan
Abhith RajanApril 07, 2018 · 2 min read · Last Updated:

Umbraco makes it easy to protect your site from clickjacking by providing an option to the user to turn on the protection in its backoffice. If you navigate to the Developer section of Umbraco backoffice, Where you can find Health Check tab, in which one of the section is ”Security”, Inside security, there is one section for Click-Jacking Protection. If you check the security group and you can see the warning related to Click-Jacking, and you can enable protection from there itself with the click of a button, which basically adds following to your system.webServer section in web.config ,

<httpProtocol>
  <customHeaders>
    <remove name="X-Powered-By" />
    <remove name="X-Frame-Options" />
    <add name="X-Frame-Options" value="sameorigin" />
  </customHeaders>
</httpProtocol>

Setting X-Frame-Options to sameorigin make the page can only be displayed in a frame on the same origin as the page itself. Also, we can set it to DENY if wanted but then we have to exclude umbraco path since umbraco backoffice have iframes.

Also, make sure you have updated web.config in your source code (version control) if you enabled clickjacking protection via backoffice. Otherwise on your next web deploy, the web.config on the host server will be overwritten with the source code version.

Additional Resources

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub


Abhith Rajan

Written byAbhith Rajan
Abhith Rajan is a software engineer by day and a full-stack developer by night. He's coding for almost a decade now. He codes 🧑‍💻, write ✍️, learn 📖 and advocate 👍.
Connect

Is this page helpful?

Related SnippetsView All

Related ArticlesView All

Related VideosView All

Signal - the most secure messenger for everyone

Common API Security Pitfalls - Philippe De Ryck

How to use Azure Bastion to connect securely to your Azure VMs | Azure Friday

Related Tools & ServicesView All

haveibeenpwned.com

Have i been pwned?

Check if you have an account that has been compromised in a data breach
SmarterASP.NET

SmarterASP.net - Unlimited ASP.NET Web Hosting

ASP.NET Hosting by SmarterASP.net. Unlimited ASP.NET Hosting Plans Starting at $2.95 a month.