Note: This guide describes Kentico CMS version 7. Unfortunately, we cannot support this guide from version 8 forward. Go to latest documentation

Skip to end of metadata
Go to start of metadata

Clickjacking is a type of attack where the attacker tricks website users into clicking something different that what they see, thus performing an action that may, for example, reveal confidential data or have any other negative impact on the user.

In a typical clickjacking scenario, the attacker places a transparent frame with a page, that contains a button or a link, over another element on a website. The underlying element can be an image or a video, which the users expect to play when they click it. Instead, they click the concealed link or button. This way the attacker can make the users perform unintended actions, usually on websites, where the users are authenticated.

To prevent such attacks, Kentico CMS disallows embedding pages it renders into frames. It does that by including a special entry in the HTTP response headers:

X-frame-options: SAMEORIGIN

The header ensures that pages, which are displayed in frames, originate on the same server as the parent page. If they don't, browsers do not render them.

<add key="CMSXFrameOptionsExcluded" value="/Services" />

As a value, you can enter any alias path. All documents under this path will be excluded from the protection. You can specify multiple paths divided by a semicolon (;). Entering "/" turns off the protection altogether.

Special cases where the X-frame-options header is not included

There are a few special cases where this particular protection is disabled by the system.

These cases include preview modes of objects (for example, transformations) which can be displayed in the context of different websites and different domains. To display the previews of these objects properly, Kentico does not include the X-frame-options header in such pages. Therefore, to maintain the security protection against clickjacking, Kentico adds a special clickjacking hash to the URL of the particular frame. The content of the frame is displayed only if hash validation is successful. Otherwise the data is considered malicious and the content from the different domain is not rendered.

  • No labels