Clickjacking, also known as UI redressing and iframe overlay, is a malicious technique where a user is tricked into clicking on a button or link on a website using hidden clickable elements inside an invisible iframe. This attack hijacks clicks intended for the visible page and routes the user to an application and/or domain on another page. The Barracuda Web Application Firewall uses the X-Frame-Options HTTP response header to detect and prevent iframe based UI redressing. The X-Frame-Options header is inserted to indicate whether a browser should be allowed to render a page in an iframe, and if allowed, the iframe origin that needs to be matched. The three values of the X-Frame-Options header are:
- Never – The browser will not display the page if the page is within the iframe.
- Same Origin – The browser allows the page to be displayed if the page within the iframe is from the same origin.
- Allowed Origin – The browser allows the page specified in the Allowed Origin to be displayed when embedded in the iframe.
To enable Clickjacking protection for a service:
- Go to the WEBSITES > Advanced Security page.
- In the Clickjacking Protection section, identify the service you want to enable clickjacking protection for, and click Edit next to it. The Edit Clickjacking Protection window appears.
- Set Status to On.
- Select the appropriate option next to Render Page Inside Iframe to specify how the page should be rendered in an iframe.
- If Render Page Inside Iframe is set to Allowed Origin, specify the page/URL in the Allowed Origin URI field that needs to be displayed when embedded in the iframe.
- Click Save.