Frame busting and clickjacking prevention
Clickjacking allows an attacker to trick your users into clicking parts of your interface without their consent. A simple way to describe describe this is, an attacker will embed your application in their site as an iframe. On top of the iframe they can show a completely different interface. You’re thinking you’re clicking buttons on your own interface, while in fact you are hitting the ‘Delete my account’ button in for example GMail.
Because this technique completely operates with frames, it can be circumvented by using a ‘Frame busting’ technique. As a bonus, this will also disallow for example Digg to steal and monetize your content.
In Internet Explorer the situation is worse, IE allows you to specify the non-standard attribute security=”restricted”:
<iframe src="http://www.rooftopsolutions.nl/" security="restricted"></iframe>
The name of the http header is specified as such:
X-FRAME-OPTIONS: SAMEORIGIN X-FRAME-OPTIONS: DENY
You only have to specify one of these two, ‘sameorigin’ means the page can only be framed from an html page hosted on the same domain, deny will kill framing altogether.
<?php header('X-FRAME-OPTIONS: DENY'); ?>
Unfortunately you can safely assume most sites don’t implement either of these security measures. For firefox users I would therefore strongly recommend using the NoScript plugin. Not only does it implement the X-FRAME-OPTIONS for firefox, it also actively detects clickjacking attempts.