I am trying to add the X-Frame-Options header (with value set to "DENY") into my MVC 4 application. I looked around and it seems this is the cleanest way to add for all pages.
However when I add this code it will not build. With an error on OnResultExecuting
of
"no suitable method found to override."
public class XframeOptions : ActionFilterAttribute
{
public override void OnResultExecuting(
System.Web.Mvc.ResultExecutingContext filterContext)
{
filterContext.HttpContext.Response.AddHeader(
"X-Frame-Options", "DENY");
}
}
If this is the cleanest way to do this how can I resolve this error? Is there a better way to handle this in an MVC 4 application?
There's no need for a custom HttpModule or ActionFilter if you need it for every page. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options details a much simpler solution:
To configure IIS to send the X-Frame-Options header, add this your site's Web.config file:
<system.webServer>
<!-- ... -->
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
<!-- ... -->
</system.webServer>
Make sure you inherit from the correct class
:
public class XframeOptions : System.Web.Mvc.ActionFilterAttribute
In ASP.NET MVC 4 there's the Web API which has different namespace and since you haven't explicitly specified the namespace I guess that the compiler is picking the wrong class:
System.Web.Http.Filters.ActionFilterAttribute
There is another way to do that. create a custom HttpModule like below:
public class XframeOptionsModule : IHttpModule
{
public void Dispose()
{
}
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;
}
private void OnPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.AddHeader("x-frame-options", "Deny");
}
}
then register this module in web.config
<modules >
<add name ="XframeOptions" type="your module's full type info"/>
</modules>
You are getting this error because you are using the wrong method name instead of OnResultExecuting
use OnResultExecuted
. You should write your method like this:
public class XframeOptionsFilter : System.Web.Mvc.ActionFilterAttribute
{
public override void OnResultExecuted(System.Web.Mvc.ResultExecutedContext filterContext)
{
filterContext.HttpContext.Response.AddHeader("x-frame-options", "Deny");
}
}
NWebsec lets you set this and other security headers through web.config, OWIN middleware, and/or MVC filter attributes: https://github.com/NWebsec/NWebsec/wiki
Disclaimer: I'm the maintainer of the project.
To add deny "x-frame-options" header to all MVC app you can do the following to avoid a Clickjacking attack.
using System;
using System.Web;
namespace Demo.Website.Modules
{
public class XfoHeaderModule : IHttpModule
{
public void Init(HttpApplication context)
{
context.PreSendRequestHeaders += ContextPreSendRequestHeaders;
}
public void Dispose()
{
}
private void ContextPreSendRequestHeaders(object sender, EventArgs e)
{
HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny");
}
}
}
Add the below to the web.config
<system.webServer>
<modules>
<add name="XfoHeader" type="Demo.Website.Modules.XfoHeaderModule" />
</modules>
</system.webServer>
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.