There is an issue that an malicious attacker can inject iframes within the app so that the iframe can have a source to an external application that is outside of the parent app’s domain.
Ex: Lets consider the app to be hosted at https://app.com/. The attacker could inject an iframe that will contain a source to https://malicious.com/
In this case, we have to prevent any iFrames injected in our app that can point to a domain that is different from ours. To fix this issue, add the following header in the response for each request
X-Frame-Options : SAMEORIGIN
This is done by the following ways in MVC
web.config file
<system.webServer>
<httpProtocol>
<customHeaders>
<add name=”X-Frame-Options” value=”SAMEORIGIN” /> </customHeaders> </httpProtocol>
</system.webServer>
Application Start in Global.asax.cs
protected void Application_Start()
{
AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
}
Saravanan's Web Blog 