Clickjacking

Clickjacking is a type of attack where the attacker tricks website users into clicking something different than what they see, thus performing an action that may, for example, reveal confidential data or have any other negative impact on the user.

In a typical clickjacking scenario, the attacker places a transparent frame within a page, that contains a button or a link, over another element on a website. The underlying element can be an image or a video, which the users expect to play when they click it. Instead, they click the concealed link or button. This way the attacker can make the users perform unintended actions, usually on websites, where the users are authenticated.

To prevent such attacks, Kentico does not allow embedding of pages rendered into frames. It does that by including a special entry in the HTTP response headers:

X-frame-options: SAMEORIGIN

The header ensures that pages, which are displayed in frames, originate on the same server as the parent page. If they don't, browsers do not render them.

This feature is enabled by default for all websites and their pages, however, you can exclude paths where you don't want the header to be used. To do that, add the CMSXFrameOptionsExcluded key into the appSettings section of your web.config file:

<add key="CMSXFrameOptionsExcluded" value="/Services;/Products;/Partners" />

The system excludes all pages under the specified paths from the clickjacking protection.

  • You can enter any alias path as a value.
  • To exclude multiple paths, enter values separated by semicolons (;).
  • Entering "/" turns off the protection completely.

Special cases where the X-frame-options header is not included

There are a few special cases where this particular protection is disabled by the system.

These cases include preview modes of objects (for example, transformations) which can be displayed in the context of different websites and different domains. To display the previews of these objects properly, Kentico does not include the X-frame-options header in such pages. Therefore, to maintain the security protection against clickjacking, Kentico adds a special clickjacking hash to the URL of the particular frame. The content of the frame is displayed only if hash validation is successful. Otherwise the data is considered malicious and the content from the different domain is not rendered.