What is the X-Frame-Options header point?

Question

What is the X-Frame-Options header point?

I am working on an application in which users can embed their website in surrounding content by loading it into an iframe. This, obviously, depends on the fact that X-Frame-Options is not installed on the users website to work. I asked the client to create a reverse proxy server because they did not want to remove the X-Frame-Options header from their site for security problems.

I install a proxy server and everything works, but what is the X-Frame-Options header point, if its as simple as creating a proxy server to get around?

I understand that a header exists to prevent a click, but if someone can just make a proxy to bypass it ... does this really increase security?

I'm not from the world of enterprise solutions, can you help me understand the reasons why the IT department will be resistant to removing the header?

I noticed that google.com and facebook.com also set the title, so it can't be completely pointless?

thank

+2

security web iframe x-frame-options

jschr Dec 22 '15 at 15:50

source share

2 answers

X-Frame-Options clickjacking

, , , , . , , / .

, - . - -. , , -, , clickjacking.

+2

UnknownCoder 15 . '16 20:46

Barry Pollard · Accepted Answer · 2015-12-27T07:50:34+0000

Any site served via http can change its content using a proxy server, for example. So yes, this is pretty pointless on http sites since it is so easily defeated.

https , -, https-. -, " " (MITM), -, . - , , , .

MITM , ( , , https !):

. , Avast SSL ( ) https://www.google.com , , Avast Google, . , , , - . cert , .
, https . , , .

, -, https-, , - .

- http . , www.google.com, https://www.google.com, - → - https, . , https, , , HSTS ( , google.com). , .

What is the X-Frame-Options header point?

More articles: