Preventing iFrame injection in web app

There is an issue that an malicious attacker can inject iframes within the app so that the iframe can have a source to an external application that is outside of the parent app’s domain.

Ex: Lets consider the app to be hosted at The attacker could inject an iframe that will contain a source to

In this case, we have to prevent any iFrames injected in our app that can point to a domain that is different from ours. To fix this issue, add the following header in the response for each request

X-Frame-Options : SAMEORIGIN

This is done by the following ways in MVC

web.config file




<add name=”X-Frame-Options” value=”SAMEORIGIN” /> </customHeaders> </httpProtocol>


Application Start in Global.asax.cs

protected void Application_Start()
    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s