Block other websites from displaying your website pages or Feeds in iFrames, Clickjacking Protection

Home Forums BulletProof Security Pro Block other websites from displaying your website pages or Feeds in iFrames, Clickjacking Protection

This topic contains 6 replies, has 4 voices, and was last updated by  AITpro Admin 2 years, 3 months ago.

Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #21331

    AITpro Admin
    Keymaster

    For a while now I have not bothered to do anything about Rssing.com grabbing the AITpro.com website Feeds and posting them in iFrames on the Rssing.com site, but I see a growing problem developing that seriously concerns me and that problem is that when I do a searches in the Search Engines I see that Rssing.com search results are now competing with the AITpro.com search results for the AITpro.com websites original content.  It would not be that big of a deal if Rssing.com did not display the original content of the AITpro.com websites in iFrames on the Rssing.com site.  To prevent other sites from displaying your website pages or Feeds in iFrames on their sites you can add the Bonus Custom Code below.

    Pros:
    There is a Read More link included in some of the Feed summaries, but not all of them. Most of the leeched Feed content is grabbed entirely without providing a source/reference link to the original content.

    Cons:
    AITpro website pages are shown in iFrames on the Rssing.com website.
    Google Analytics Metrics show that over a 1 year period 24 visits have come from Rssing.com.
    Google search results show results for Rssing.com competing with search results for AITpro.com websites.
    Rssing.com is not linking back to the AITpro websites. Webmaster Tools does not show a linkback link from Rssing.com

    Summary:
    Rssing.com will probably cost you visitor traffic to your website and not increase visitor traffic to your website. Quite a lot of other sites have submitted requests to Google to have the Rssing.com content removed from the Google Search Engine/Database:  https://www.google.com/transparencyreport/removals/copyright/domains/rssing.com/

    Solution:
    1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE
    2.
    Click the Save Root Custom Code button.
    3. BPS Pro 11.9+ & BPS .53.8+: Go to the Security Modes page and click the Root Folder BulletProof Mode Activate button.
    3. Older BPS versions: Go to the Security Modes page, click the Create secure.htaccess File AutoMagic button and activate Root Folder BulletProof Mode.

    Notes:
    • This code goes after php/php.ini handler .htaccess code (if you have php/php.ini handler .htaccess code and before any caching .htaccess code (if you have any .htaccess caching code). The order would be: 1. php/php.ini handler .htaccess code, 2. the iFrame htaccess code and then 3. htaccess caching code in this Custom Code text box.
    • If you add this code in an .htaccess file in the root of your hosting account (/public_html/.htaccess), then this code will be applied to all of your websites under your hosting account. You would not need to add this code to each of your other sites htaccess files.

    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: iFrames from the same site are allowed - other sites are blocked
    Header always append X-Frame-Options SAMEORIGIN
    </IfModule>

    Clickjacking Wiki Info: http://en.wikipedia.org/wiki/Clickjacking#X-Frame-Options

    Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions.

    A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page; therefore, the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.

    Note: You can combine the External iFrame|Clickjacking Bonus Custom Code above with the MIME sniffing|Drive-by Download Attack Bonus Custom Code here: http://forum.ait-pro.com/forums/topic/mime-sniffing-data-sniffing-content-sniffing-drive-by-download-attack-protection/

    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    Header always append X-Frame-Options SAMEORIGIN
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>
    #21667

    Krzysztof
    Participant

    Should this code go before or after

    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    <IfModule mod_headers.c>
    Header set X-Content-Type-Options nosniff
    </IfModule>
    #21668

    AITpro Admin
    Keymaster

    The order does not matter and/or you can combine the code:

    <IfModule mod_headers.c>
    # Block other sites from displaying your website in iFrames & Protects against Clickjacking
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: Use SAMEORIGIN. iFrames from the same site are allowed but other sites are blocked
    Header always append X-Frame-Options SAMEORIGIN
    # Protects against Drive-by Download attacks & MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>
    #25492

    Paul
    Participant

    So am i correct in saying this

    <IfModule mod_headers.c>
    # Using DENY will block all iFrames including iFrames on your own website
    # Header set X-Frame-Options DENY
    # Recommended: SAMEORIGIN - iFrames from the same site are allowed - other sites are blocked
    # Block other sites from displaying your website in iFrames
    # Protects against Clickjacking
    Header always append X-Frame-Options SAMEORIGIN
    # Protects against Drive-by Download attacks
    # Protects against MIME/Content/Data sniffing
    Header set X-Content-Type-Options nosniff
    </IfModule>

    Goes before

    # BEGIN WEBSITE SPEED BOOST
    # Time cheat sheet in seconds

    What happens if i have iframes i.e tube on my site?

    #25497

    AITpro Admin
    Keymaster

    Yes.  That is the correct place/order for the code in Custom Code.

    Solution:
    1. Copy the code below to this BPS Root Custom Code text box: CUSTOM CODE TOP PHP/PHP.INI HANDLER/CACHE CODE

    Notes:
    • This code goes after php/php.ini handler .htaccess code (if you have php/php.ini handler .htaccess code and before any caching .htaccess code (if you have any .htaccess caching code). The order would be: 1. php/php.ini handler .htaccess code, 2. the iFrame htaccess code and then 3. htaccess caching code in this Custom Code text box.

    # Recommended: SAMEORIGIN – iFrames from the same site are allowed – other sites are blocked
    # Block other sites from displaying your website in iFrames

    This means that all iframes on your website are allowed. An iframe on your site loads your content from your site. If someone added an iframe on their site that iframed your site then they would be loading your site content from their site – that would not be SAMEORIGIN.

    #28682

    John
    Participant

    Hi,

    I have Google reCaptcha on my site, and it seems that Google reCaptcha button is in an iFrame. Do I understand correctly that with SAMEORIGIN, Google reCaptcha should be functioning properly?

    Thank you in advance for your reply.

    #28693

    AITpro Admin
    Keymaster

    @ John – Yes, you are correct.  An iframe on your site loads your content (Google Recaptcha) from your site. If someone added an iframe on their site that iframed your site then they would be loading your site content from their site.

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic.