gaja-group
/
server-configs-nginx
mirror of https://github.com/h5bp/server-configs-nginx
2
0
Fork 0
Code Issues Releases Wiki Activity

Improve `X-Frame-Options` documentation (#277) 

Co-authored-by: Léo Colombaro <git@colombaro.fr>
This commit is contained in:
Julio 2021-06-13 23:30:25 +02:00 committed by GitHub
parent d249bf2f2b
commit 501444ab43
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
h5bp/security/x-frame-options.conf
View File

@ -15,8 +15,7 @@
#
# Keep in mind that while you could send the `X-Frame-Options` header for all
# of your website's pages, this has the potential downside that it forbids even
# non-malicious framing of your content (e.g.: when users visit your website
# using a Google Image Search results page).
# non-malicious framing of your content.
#
# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
# all pages that allow a user to make a state-changing operation (e.g: pages
@ -27,6 +26,9 @@
# more than just clickjacking attacks.
# https://cure53.de/xfo-clickjacking.pdf.
#
# (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
# which obsoletes this header for supporting browsers.
#
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://tools.ietf.org/html/rfc7034
# https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/