Web Application Security
Secure iFrames Nov 03 2014 01:02PM
NightShade (avghacker gmail com) (2 replies)
Re: Secure iFrames Nov 05 2014 02:54PM
David Ford (david blue-labs org)
Use CSP, X-Frame-Options, Strict-Transport-Security, X-XSS-Protection,
CORS HTTP headers -- and _everything_ over HTTPS. Those are a great start.

-d

On 11/03/2014 08:02 AM, NightShade wrote:
> Was hoping to get some feedback on what everyone feels are best
> practices around securing iFrames. I've seen a lot of payment
> platforms moving in this direction (ie. Gumroad, Stripe, Memberful)
> yet with little documentation around "here is the best way to secure
> the iFrame our JavaScript generates".
>
> The best documentation I've seen so far recommends an HTTPS webpage
> with the each link pointing to an HTTPS link as well. This way when
> you click the link to load a modal / JS for the payment solution it is
> "supposedly" done over HTTPS even though the browser won't present a
> padlock (assuming the hosting page is HTTP). The other example I've
> seen is a simple HTTP page that contains an HTTP link which in turns
> opens a secure iFrame....which is probably not a good idea since you
> are mixing secure and non-secure content.
>
> Thoughts?
>
>
>
> This list is sponsored by Cenzic
> --------------------------------------
> Let Us Hack You. Before Hackers Do!
> It's Finally Here - The Cenzic Website HealthCheck. FREE.
> Request Yours Now! http://www.cenzic.com/2009HClaunch_Securityfocus
> --------------------------------------
>

This list is sponsored by Cenzic
--------------------------------------
Let Us Hack You. Before Hackers Do!
It's Finally Here - The Cenzic Website HealthCheck. FREE.
Request Yours Now!
http://www.cenzic.com/2009HClaunch_Securityfocus
--------------------------------------

[ reply ]
Re: Secure iFrames Nov 04 2014 01:43AM
Dave Pyper (davepyper davepyper com) (2 replies)
Re: Secure iFrames Nov 05 2014 02:56PM
David Ford (david blue-labs org)
Re: Secure iFrames Nov 04 2014 06:53PM
Tim Brown (tmb 65535 com)


 

Privacy Statement
Copyright 2010, SecurityFocus