Tech Tip: Preventing clickjacking from 4D Web Server's 404 page
PRODUCT: 4D | VERSION: 16 | PLATFORM: Mac & Win
Published On: February 14, 2017
Clickjacking is prevented with the "X-Frame-Options: deny" header which can be set within a 4D Web Process using the following code:
$deny:="X-Frame-Options: deny" WEB SET HTTP HEADER($deny) |
It may not be immediately apparent, but this can also be applied to the 404 page by rolling your own custom 404 page (which is extremely easy).
Take the following On Web Connection code for example
C_TEXT($1;$2;$3;$4;$5;$6) Case of : ($1="/Home@") // handle the /Home requests //... : ($1="/About@") // handle the /About requests //... : ($1="/Products@") // handle the /Products requests //... End case |
All we need to do to add a custom 404 page is add an Else statement like this:
C_TEXT($1;$2;$3;$4;$5;$6) Case of : ($1="/Home@") // handle the /Home requests //... : ($1="/About@") // handle the /About requests //... : ($1="/Products@") // handle the /Products requests //... Else // send a 404 for all other requests $deny:="X-Frame-Options: deny" WEB SET HTTP HEADER($deny) WEB SEND TEXT("404") End case |
Now any unknown url will hit this ELSE statement and send our custom 404 string that also includes the header to prevent clickjacking.