0 votes
by (2.5k points)
As title, I have an ASP.NET web application that I want to prevent clickjacking. What should I use to prevent this?

1 Answer

0 votes
by (2.5k points)

It actually depends on how you are hosting your application (e.g. Is it hosted on IIS, Apache, Nginx? Does it have a web application firewall infront of it?)

But in short, you want to set a X-Frame-Options header to "SAMEORIGIN" to block people from iframing your site. I will note that if you yourself are iframing your site then you'll need to do more work. 

If you want to set this in code, you can do it in your configure method : 

public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
    app.Use(async (context, next) =>
    {
        context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
        await next();
    });

    app.UseMvc();
}

This just adds an X-Frame-Options header and disallows people from iframing your website. 

If you're looking for further options (Like you need to iframe your own website), or you want to do this at the web server level (IIS/Apache etc), then you can read more here : https://dotnetcoretutorials.com/2017/01/08/set-x-frame-options-asp-net-core/

Welcome to .NET Q&A, where you can ask questions and receive answers from other members of the community.
...