HTTP 中文开发手册
目录搜索
GuidesAccess control CORSAuthenticationBrowser detection using the user agentCachingCaching FAQCompressionConditional requestsConnection management in HTTP 1.xContent negotiationContent negotiation: List of default Accept valuesCookiesCSPMessagesOverviewProtocol upgrade mechanismProxy servers and tunnelingProxy servers and tunneling: Proxy Auto-Configuration (PAC) filePublic Key PinningRange requestsRedirectionsResources and specificationsResources and URIsResponse codesServer-Side Access ControlSessionGuides: BasicsBasics of HTTPChoosing between www and non-www URLsData URIsEvolution of HTTPIdentifying resources on the WebMIME TypesMIME types: Complete list of MIME typesCSPContent-Security-PolicyContent-Security-Policy-Report-OnlyCSP: base-uriCSP: block-all-mixed-contentCSP: child-srcCSP: connect-srcCSP: default-srcCSP: font-srcCSP: form-actionCSP: frame-ancestorsCSP: frame-srcCSP: img-srcCSP: manifest-srcCSP: media-srcCSP: object-srcCSP: plugin-typesCSP: referrerCSP: report-uriCSP: require-sri-forCSP: sandboxCSP: script-srcCSP: style-srcCSP: upgrade-insecure-requestsCSP: worker-srcHeadersAcceptAccept-CharsetAccept-EncodingAccept-LanguageAccept-RangesAccess-Control-Allow-CredentialsAccess-Control-Allow-HeadersAccess-Control-Allow-MethodsAccess-Control-Allow-OriginAccess-Control-Expose-HeadersAccess-Control-Max-AgeAccess-Control-Request-HeadersAccess-Control-Request-MethodAgeAllowAuthorizationCache-ControlConnectionContent-DispositionContent-EncodingContent-LanguageContent-LengthContent-LocationContent-RangeContent-TypeCookieCookie2DateDNTETagExpectExpiresForwardedFromHeadersHostIf-MatchIf-Modified-SinceIf-None-MatchIf-RangeIf-Unmodified-SinceKeep-AliveLarge-AllocationLast-ModifiedLocationOriginPragmaProxy-AuthenticateProxy-AuthorizationPublic-Key-PinsPublic-Key-Pins-Report-OnlyRangeRefererReferrer-PolicyRetry-AfterServerSet-CookieSet-Cookie2SourceMapStrict-Transport-SecurityTETkTrailerTransfer-EncodingUpgrade-Insecure-RequestsUser-AgentUser-Agent: FirefoxVaryViaWarningWWW-AuthenticateX-Content-Type-OptionsX-DNS-Prefetch-ControlX-Forwarded-ForX-Forwarded-HostX-Forwarded-ProtoX-Frame-OptionsX-XSS-ProtectionMethodsCONNECTDELETEGETHEADMethodsOPTIONSPATCHPOSTPUTStatus100 Continue101 Switching Protocols200 OK201 Created202 Accepted203 Non-Authoritative Information204 No Content205 Reset Content206 Partial Content300 Multiple Choices301 Moved Permanently302 Found303 See Other304 Not Modified307 Temporary Redirect308 Permanent Redirect400 Bad Request401 Unauthorized403 Forbidden404 Not Found405 Method Not Allowed406 Not Acceptable407 Proxy Authentication Required408 Request Timeout409 Conflict410 Gone411 Length Required412 Precondition Failed413 Payload Too Large414 URI Too Long415 Unsupported Media Type416 Range Not Satisfiable417 Expectation Failed426 Upgrade Required428 Precondition Required429 Too Many Requests431 Request Header Fields Too Large451 Unavailable For Legal Reasons500 Internal Server Error501 Not Implemented502 Bad Gateway503 Service Unavailable504 Gateway Timeout505 HTTP Version Not Supported511 Network Authentication RequiredStatus

©
本文档使用 php.cn手册 发布

文字

所述X-Frame-OptionsHTTP 响应报头可以被用来指示一个浏览器是否应该被允许在一个以呈现页面<frame><iframe><object>。通过确保其内容未嵌入其他网站,网站可以使用此功能来避免 点击劫持 攻击。

只有当访问文档的用户使用浏览器支持时才提供附加的安全性X-Frame-Options

Header type

Response header

Forbidden header name

no

句法

X-Frame-Options有三种可能的指示:

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/

指令

如果指定DENY,从其他站点加载时,不仅尝试在框架中加载页面失败,从同一站点加载时尝试这样做将失败。另一方面,如果指定SAMEORIGIN,只要包含在框架中的站点与为页面提供服务的站点相同,仍然可以在框架中使用该页面。

DENY无论站点尝试这样做,页面都不能显示在框架中。SAMEORIGIN该页面只能显示在与页面本身相同的源框架中。ALLOW-FROM_ uri_页面只能显示在指定原点的框架中。

例子

注意:设置元标记是没用的!例如,<meta http-equiv="X-Frame-Options" content="deny">没有效果。不要使用它!只有像下面的例子那样设置HTTP头X-Frame-Options才能工作。

配置 Apache

要配置 Apache X-Frame-Options为所有页面发送标题,请将其添加到您网站的配置中:

Header always append X-Frame-Options SAMEORIGIN

要配置 Apache 来设置X-Frame-Options拒绝,请将其添加到您网站的配置中:

Header set X-Frame-Options DENY

要配置 Apache 以将其设置X-Frame-OptionsALLOW-FROM特定主机,请将其添加到您网站的配置中:

Header set X-Frame-Options "ALLOW-FROM https://example.com/"

配置 nginx

要配置 nginx 发送X-Frame-Options头文件,请将其添加到您的 http,服务器或位置配置中:

add_header X-Frame-Options SAMEORIGIN;

配置 IIS

要配置 IIS 发送X-Frame-Options标题,请添加此站点的Web.config文件:

<system.webServer>  ...  <httpProtocol>    <customHeaders>      <add name="X-Frame-Options" value="SAMEORIGIN" />    </customHeaders>  </httpProtocol>  ...</system.webServer>

配置 HAProxy

要配置 HAProxy 发送X-Frame-Options标题,请将其添加到前端,监听或后端配置中:

rspadd X-Frame-Options:\ SAMEORIGIN

产品规格

Specification

Title

RFC 7034

HTTP Header Field X-Frame-Options

浏览器兼容性

Feature

Chrome

Firefox

Edge

Internet Explorer

Opera

Safari

Basic Support

4.0

3.6.9

(Yes)

8.0

10.50

4.0

ALLOW-FROM

(No)

18

?

8.0

?

(Yes)

Feature

Android

Chrome for Android

Edge mobile

Firefox for Android

IE mobile

Opera Android

iOS Safari

Basic Support

(Yes)

(Yes)

(Yes)

(Yes)

(Yes)

(Yes)

(Yes)

ALLOW-FROM

?

?

?

?

?

?

?

上一篇:下一篇: