HAProxy community

X-Frame-Options in haproxy

Hi
We use haproxy version 1.8.16 for our sites. one week ago we saw one site is using our site by means of iframe tag in its site, I think this is a kind of clickjacking. We could stop them with below command in our front end:
rspadd X-Frame-Options:\ SAMEORIGIN
This worked very well and stop them
but we need to except some sites from this. I have found nothing about this issue in internet for haproxy.
Thanks for ur help

The X-Frame-Options is a feature implemented in browsers, therefore not pertaining to HAProxy (or any other web-server or load-balancer out there).

However you should have a look at the Mozilla documentation pertaining to this header (they even have an example for HAProxy):

Unfortunately, based on their compatibility matrix, except Firefox (and surprisingly IE), only the sameorigin option looks to be fully supported by most browsers.


That being said, another alternative is to inject the X-Frame-Option: deny only when the Referer request header is different than the domains you want to whitelist. (You should also make sure to configure the referrerpolicy option of the <iframe>.)

https://developer.mozilla.org/en-US/docs/Web/HTML/Element/iframe#attr-referrerpolicy


All in all, please take into account that the success of any of these measures depends on the browser, and in the end there is nothing that HAProxy (or for that matter any web server out there) can actually do to stop this kind of attacks.


Alternatively you could rely on JavaScript to either detect the usage inside of an <iframe> and either “escape” from it, or issue an alert to the user, or perhaps even redirect that iframe to a warning page.