class Helmet::FrameGuardHandler
- Helmet::FrameGuardHandler
- HTTP::Handler
- Reference
- Object
Overview
When your webpage can be put in a frame (like an iframe
), you can be
vulnerable to a kind of attack called clickjacking,
where your page is invisible on another page but is being interacted with.
The X-Frame-Options
HTTP header restricts who can put your site in a
frame. It has three modes: DENY
, SAMEORIGIN
, and ALLOW-FROM
.
DENY
will prevent anyone from rendering this page in a frame.SAMEORIGIN
will only allow pages on the same origin to put this page in a frame. For example, if this header were set onhttp://example.com/about.html
thenhttp://example.com/store.html
could render it, buthttp://evanhahn.com/store.html
could not.ALLOW-FROM
lets you specify a specific origin that is allowed to put this page in frames.
Allow this page to be put in frames on the same origin
You can specify this explicitly:
sameorigin = Helmet::FrameGuardHandler::Origin::Same
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::FrameGuardHandler.new allow_from: sameorigin,
# ...
])
It's also the default:
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::FrameGuardHandler.new,
# ...
])
Don't allow this page to be put in frames (from anywhere)
nowhere = Helmet::FrameGuardHandler::Origin::Nowhere
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::FrameGuardHandler.new allow_from: nowhere,
])
Allow this page to be framed by a specific origin
server = HTTP::Server.new("0.0.0.0", 8080, [
Helmet::FrameGuardHandler.new allow_from: "http://example.com",
# ...
])