In frame sniffing, an attacker uses browser functions to steal data from a website. Web applications can be used for this attack technique if content is hosted across domains via an IFRAME. An administrator can stop this, by instructing IIS to use an HTTP response header X-Frame-Options to be sent along. This prevents pages under foreign domains host your website in an IFRAME.
Smartstore sets this HTTP response header from version 5.0.5 automatically, i.e. which in the following IIS configuration described in the following is not necessary in this case.
Perform the following steps to configure IIS so that all responses for a particular site are assigned a X-Frame option header is added:
- Open the Internet Information Services (IIS) Manager.
- In the area Connections on the left side expand the folder Sites and select the site you want to want to protect.
- In the function list, double-click in the center on the icon HTTP response header.
- Click in the area Actions on the right side on Add.
- In the dialog box that appears, type X-Frame Options in the field Name and SAMEORIGIN in the field Value enter.
- Click on OKto save your changes.
You can find more information here.
Do you have further questions about the security configurations of your Smartstore version? Call us or send us an email. Our Smartstore Team will be happy to assist you personally!