How to protect against Matadoor
(and clickjacking in general)
HTTP Headers
Most popular and standard way of protecting against clickjacking is to implement anti-framing HTTP headers.
- Content-Security-Policy: frame-ancestors 'self'
- X-Frame-Options: SAMEORIGIN
Those headers completely block the browsers from rendering your website inside an iFrame. If there is no special use-case for your website to allow iFrames - the HTTP headers is the way to go.
SameSite Cookie
Authentication cookie is being stored in the browser when the user is logged on. But if the cookie has a SameSite attribute of 'strict' or 'lax' - the iFrame will not have the access to this cookie. So the page will render in the iFrame, but will not recognize any pre-established session.Confirm with a built-in function
if ((window.self === window.top ) || (confirm("Please confirm that you wanted to...")))
{
// Your code here representing a privileged action
}
The above code checks if the website is being rendered in the iFrame. If it is - it will display a window prompt to the user that he/she needs to confirm the action. This window is a built-in browser message that jumps out of frames.
You can use this piece of code on every privileged action which a user can run on a website.
Dynamically render links and buttons
Render all links and buttons as disabled.
On document load - check if the website is in the iFrame by the '(window.self === window.top)' check.
This way the website will render correctly in a normal scenario, but it will have disabled buttons in the iFrame