Template shim to prevent clickjacking on a SilverStripe website
Actively combats an attempt to load your SilverStripe site through an iframe. This works as a fallback when used with
Security::frame_options = 'DENY' and any X-Frame-Options headers sent by your webserver.
This is not an original idea - the attack and the sample code used to prevent it have been available on the internet since 2008. Clickjacking occurs when an attacker loads your website through an iframe and overlays that frame on an attack page. The opacity of the iframe can be set to 0 and positioned over an element on their page (such as a button) to trick the user into clicking it - the click is actually passed through to your site through the iframe.
A common mitigation is to set your server headers to deny loading from iframes completely, or only allow them if it originates from the same domain. This shim acts as a fallback if those headers are not in place, or your browser is too old or restricted to understand them - if a clickjack is detected, the hostpage will redirect to the URL defined on its
composer require elliotsawyer/anticlickjack
Add this at the very end of your tags.
<head> ... <% include AntiClickjack %> </head>
Copyright 2019 Elliot Sawyer. Released under BSD-3
Contributions are more than welcome! Please raise some issues or create pull requests on the Github repo.
Need some extra help or just love my work? Consider shouting me a coffee or a small donation if this module helped you solve a problem. I accept cryptocurrency at the following addresses:
Module rating system helping users find modules that are well supported. For more on how the rating system works visit Module standards
Score not correct? Let us know there is a problem