I'm developing a asp.net mvc website and want to implment some security features. One of them is to prevent the website from being injected in an iframe. I have read that it is possible to do that with x-frame-options which is a server side validation, but i have also read that it is required to implement client side validation with JS as well. Could anyone help me with that? Many thanks!!
the client side validaton can be done using the busting JS. To implement the server side validation, you need (as you already mentioned) to set x-frame-options in IIS or in the application (Global asax file):
IIS:
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" />
</customHeaders>
</httpProtocol>
Global asax:
protected void Application_BeginRequest(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("x-frame-options", "DENY");
}
For more info about busting js, see this link: https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet
I have the same problem with old broswers, for example, mozilla 3.0
Hope this helps!