X-Frame-Options header
According to Mozilla documentation, the X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
X-Content-Type-Options = nosniff
According to MSDN, the X-Content-Type-Options: nosniff is a security feature that helps prevent attacks based on MIME-type confusion. If the server sends this response header, the script and stylesheet elements will reject responses with incorrect MIME types.
Example of MIME-sniffing:
Consider the case of a picture-sharing web service which hosts pictures uploaded by anonymous users. An attacker could upload a specially crafted JPEG file that contained script content, and then send a link to the file to unsuspecting victims. When the victims visited the server, the malicious file would be downloaded, the script would be detected, and it would run in the context of the picture-sharing site. This script could then steal the victim’s cookies, generate a phony page, etc.
Implementation of X-Frame-Options header and X-Content-Type-Options = nosniff
In order to implement these two options into our project, we need to add the following code to the project’s web.config file:
<system.webServer>
…
<httpProtocol>
<customHeaders>
<remove name="X-Content-Type-Options">
<add name="X-Content-Type-Options" value="nosniff">
<add name="X-Frame-Options" value="SAMEORIGIN" >
</customHeaders>
</httpProtocol>
…
</system.webServer>
After updating the web.config, here are the results of the HTTP headers for different browsers.
