网站防盗链-防止被嵌入iframe

其他的网站可能会使用iframe来进行盗链,我们可以设置属性


Configuring Apache

To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:

Header always append X-Frame-Options SAMEORIGIN

Configuring nginx

To configure nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

add_header X-Frame-Options SAMEORIGIN;

Configuring IIS

To configure IIS to send the X-Frame-Options header, add this your site's Web.config file:

<system.webServer>
  ...  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>

  ...
</system.webServer>

Configuring HAProxy

To configure HAProxy to send the X-Frame-Options header, add this to your frontend, listen, or backend configuration:

rspadd X-Frame-Options:\ SAMEORIGIN

Note: Setting the meta tag is useless, for instance, <meta http-equiv="X-Frame-Options" content="deny"> has no effect. Do not use it. Only by setting through the HTTP header like the examples above, X-Frame-Options will work.

ResultsEDIT

When an attempt is made to load content into a frame, and permission is denied by the X-Frame-Options header, Firefox currently renders about:blank into the frame. At some point, an error message of some kind will be displayed in the frame instead.