Colin Bacon, web developer.

MVC5 prevents your website being loaded in an IFRAME

MVC5 prevents your website being loaded in an IFRAME

Allowing your content to be hosted in a cross-domain IFRAME can make your website vulnerable to attacks such as framesniffing and clickjacking. Now MVC5 prevents this by default.

What are these things you talk of?


Framesniffing involves the use of an IFRAME to load your website inside the attackers' webpage. The attackers can then read information about the content and structure of your page.


...a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages.

Again by loading your website into an IFRAME inside the attackers' webpage, the attacker can make the user perform actions that they are unaware of.

So what does MVC5 do?

To prevent these attacks you must set the X-Frame-Options header value to SAMEORIGIN. This will block rendering unless the origin of the content is the same as the containing page. MVC5 does this by default when using an AntiForgeryToken in the page.

If we look at the header of an MVC5 site we can see X-Frame-Options set to SAMEORIGIN.

MVC5 http header

But I don't want it

There are instances where we do want to allow our website to be loaded in an IFRAME. In these cases we can configure the value in Global.asax.cs

protected void Application_Start()
    AntiForgeryConfig.SuppressXFrameOptionsHeader = true;

Now if we look at the header we can see the value has changed.

MVC5 http header


MVC5 now protects against cross-domain IFRAME attacks by default but also allows you to configure this in Global.asax.cs


Mitigating framesniffing with the X-Frame-Options header

Framesniffing - The Register

Clickjacking - Wikipedia