Wednesday, June 29, 2016

Security Headers Part 1

Part one is XFS and what is trying to be conveyed is one silly risk and one real risk of not setting the X-Frame-Options header correctly on pages where sensitive transactions take place. The example referenced below is just that, an example (hence the .info domain); no malicious intent and there is no actual compromise of any of the sites used in the examples. One big TODO is to get the pages to dynamically resize based on browser size so the UI elements in the parent frame are smoother. Time is short and what should have taken weeks to fit into the schedule took months so here it is:

evilsite.info