Adding X-Frame-Options header to all pages in MVC 4 application

Asked 10/5, 2013 at 14:13 Answered 17/6, 2015 at 10:32

Solved c#asp.net-mvc asp.net-mvc-4 http-headers x-frame-options

I am trying to add the X-Frame-Options header (with value set to "DENY") into my MVC 4 application. I looked around and it seems this is the cleanest way to add for all pages.

However when I add this code it will not build. With an error on OnResultExecuting of

"no suitable method found to override."

public class XframeOptions : ActionFilterAttribute
{
    public override void OnResultExecuting(
          System.Web.Mvc.ResultExecutingContext filterContext)
    {
        filterContext.HttpContext.Response.AddHeader(
            "X-Frame-Options", "DENY");
    }
}

If this is the cleanest way to do this how can I resolve this error? Is there a better way to handle this in an MVC 4 application?

Unsaddle answered 10/5, 2013 at 14:13 Comment(1)

This worked for me, but setting the property in <system.webServer> does not work. This is not the first time I've had settings in system.webServer seemingly ignored. Why would this be? – Ameba 2/2, 2016 at 18:7

Make sure you inherit from the correct class:

public class XframeOptions : System.Web.Mvc.ActionFilterAttribute

In ASP.NET MVC 4 there's the Web API which has different namespace and since you haven't explicitly specified the namespace I guess that the compiler is picking the wrong class:

System.Web.Http.Filters.ActionFilterAttribute

Manouch answered 10/5, 2013 at 14:27 Comment(0)

147

There's no need for a custom HttpModule or ActionFilter if you need it for every page. https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options details a much simpler solution:

To configure IIS to send the X-Frame-Options header, add this your site's Web.config file:

<system.webServer>
  <!-- ... -->

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>

  <!-- ... -->
</system.webServer>

Horned answered 28/2, 2014 at 20:45 Comment(5)

This is a more suitable answer. No code needed just configuration – Selfdelusion 13/8, 2015 at 14:11

Hi, I just added the code into the my web.config source file. But after run the program, I couldn't see the X-Frame-Options on the Chrome test tool. Did I miss something? – Strachan 10/12, 2015 at 1:55

Did you restart IIS / IIS Express after doing so? In theory it isn't necessary since IIS tends to recycle when you change the web.config, but I've been bit by assuming before. – Horned 11/12, 2015 at 6:17

To effectively prevent framing attacks, the application should return a response header with the name X-Frame-Options and the value DENY to prevent framing altogether, or the value SAMEORIGIN to allow framing only by pages on the same origin as the response itself. Note that the SAMEORIGIN header can be partially bypassed if the application itself can be made to frame untrusted websites. – Rotow 11/2, 2017 at 6:0

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g. it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. ALLOW-FROM allows specific websites to frame the web page in supported web browsers). See also here: developer.mozilla.org/en-US/docs/Web/HTTP/Headers/… – Rotow 11/2, 2017 at 6:4

Make sure you inherit from the correct class:

public class XframeOptions : System.Web.Mvc.ActionFilterAttribute

In ASP.NET MVC 4 there's the Web API which has different namespace and since you haven't explicitly specified the namespace I guess that the compiler is picking the wrong class:

System.Web.Http.Filters.ActionFilterAttribute

Manouch answered 10/5, 2013 at 14:27 Comment(0)

There is another way to do that. create a custom HttpModule like below:

    public class XframeOptionsModule : IHttpModule
{
    public void Dispose()
    {

    }

    public void Init(HttpApplication context)
    {
        context.PreSendRequestHeaders += this.OnPreSendRequestHeaders;
    }
    private void OnPreSendRequestHeaders(object sender, EventArgs e)
    {
        HttpContext.Current.Response.AddHeader("x-frame-options", "Deny");
    }
}

then register this module in web.config

    <modules >
        <add name ="XframeOptions" type="your module's full type info"/>
    </modules>

Arguello answered 26/12, 2013 at 8:32 Comment(0)

You are getting this error because you are using the wrong method name instead of OnResultExecuting use OnResultExecuted. You should write your method like this:

public class XframeOptionsFilter : System.Web.Mvc.ActionFilterAttribute
{
    public override void OnResultExecuted(System.Web.Mvc.ResultExecutedContext filterContext)
    {
        filterContext.HttpContext.Response.AddHeader("x-frame-options", "Deny");
    }
}

Archenteron answered 26/12, 2013 at 7:30 Comment(0)

NWebsec lets you set this and other security headers through web.config, OWIN middleware, and/or MVC filter attributes: https://github.com/NWebsec/NWebsec/wiki

Disclaimer: I'm the maintainer of the project.

Zipah answered 17/6, 2015 at 10:32 Comment(1)

But standard .Net lets you set this and other security headers through web.config...? – Maplemaples 8/8, 2016 at 13:27

To add deny "x-frame-options" header to all MVC app you can do the following to avoid a Clickjacking attack.

using System;
using System.Web;

namespace Demo.Website.Modules
{
    public class XfoHeaderModule : IHttpModule
    {
        public void Init(HttpApplication context)
        {
            context.PreSendRequestHeaders += ContextPreSendRequestHeaders;
        }

        public void Dispose()
        {
        }

        private void ContextPreSendRequestHeaders(object sender, EventArgs e)
        {
            HttpContext.Current.Response.Headers.Add("X-Frame-Options", "Deny");
        }
    }
}

Add the below to the web.config

  <system.webServer>
    <modules>
      <add name="XfoHeader" type="Demo.Website.Modules.XfoHeaderModule" />
    </modules>
  </system.webServer>

enter image description here

Aggie answered 7/3, 2014 at 11:27 Comment(2)

It's best to stay away from the PreSendRequestHeaders event as it has been deprecated. See:asp.net/aspnet/overview/web-development-best-practices/… – Zipah 17/6, 2015 at 10:36

Your response in your screen shot has 2 X-Frame-Options headers. This would be invalid – Maplemaples 8/8, 2016 at 13:25

Recommended topics

Hot tags