X-Frame-Options in redirecting?

[gigi2]

Hello,

I am trying to stop any usage of my web app if it is embedded within a frame. But as I employ SS to protect the publicized URL, the first step of user accessing the URL would be they are redirected to the login page.

I append the 'X-Frame-Options' to my redirect response in hope of that would stop the redirecting if called in a frame just to find out that it does not work. It will function as expected if it is not a redirect response. But there seems to me no way I can tell from server side if the request comes from a frame or not.

Can I have some hint/helps on how to achieve the 'no redirecting if called from a frame'? Really appreciate it

[Monger]

The best success I've had ensuring that my web pages are not being served inside a frame is to use JavaScript on my login page.

It's not as sexy as encapsulating the logic in your security layer, I know, but it's just a few lines of JavaScript that works 99% of the time and even with older browsers that don't support x-frame-options.

Code:

if (top.location != location) {
    top.location.href = document.location.href;
    // or perform some ajax call to the server...
}

Good luck!

[gigi2]

thank you for the reply, Monger. But there is no page behind my URL. it is my SS filters that are taking care of the URL.
If I had a page, I could have just set the response header directly