Kentico CMS 7.0 Developer's Guide

Clickjacking protection

Clickjacking protection

Previous topic Next topic Mail us feedback on this topic!  

Clickjacking protection

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Clickjacking is a type of attack where the attacker tricks a website user into clicking something different that what they see, thus performing an action that may for example reveal confidential data or have any other negative impact on the user. In a typical clickjacking scenario, the attacker places a transparent frame with a page, that contains a button or a link, over another element on a website. The underlying element can be an image or a video, which the user expects to play when they click it. Instead, they click the concealed link or button. This way the attacker can make the users perform unintended actions, usually on websites the users are authenticated on.


To prevent such attacks, Kentico CMS disallows embedding pages it renders into frames. It does that by including a special entry in the HTTP response headers:


X-frame-options: SAMEORIGIN


The header ensures that pages that are displayed in frames originate on the same server as the parent page. If they don't, browsers do not render them.


This feature is enabled by default for all websites and their pages, however, you can exclude paths where you don't want the header to be used. To do that, add the following key into the appSettings section of your web.config:


<add key="CMSXFrameOptionsExcluded" value="/Services" />


As a value, you can enter any alias path. All documents under this path will be excluded from the protection. Entering "/" turns off the protection altogether.