Added another frame busting technique to make the authorization server more secure.

author: Andrew Arnott <andrewarnott@gmail.com> 2012-02-20 11:05:08 -0800
committer: Andrew Arnott <andrewarnott@gmail.com> 2012-02-20 11:05:08 -0800
commit: 234cf20e86b0ed1d65bca4a61eabb3277e8562c5 (patch)
tree: c13f949c18e08e5ab1889b6d7b98968463f3aea6 /samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
parent: 6bec41a02764e66581a5eaaaa6980b9124f7ca7b (diff)
download: DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.zip
DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.gz
DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.bz2
1 files changed, 1 insertions, 0 deletions
diff --git a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
index a67c57b..9d2f6e9 100644
--- a/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
+++ b/samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
@@ -36,6 +36,7 @@
 		/// </summary>
 		/// <returns>The browser HTML response that prompts the user to authorize the client.</returns>
 		[Authorize, AcceptVerbs(HttpVerbs.Get | HttpVerbs.Post)]
+		[HttpHeader("x-frame-options", "SAMEORIGIN")] // mitigates clickjacking
 		public ActionResult Authorize() {
 			var pendingRequest = this.authorizationServer.ReadAuthorizationRequest();
 			if (pendingRequest == null) {
author	Andrew Arnott <andrewarnott@gmail.com>	2012-02-20 11:05:08 -0800
committer	Andrew Arnott <andrewarnott@gmail.com>	2012-02-20 11:05:08 -0800
commit	234cf20e86b0ed1d65bca4a61eabb3277e8562c5 (patch)
tree	c13f949c18e08e5ab1889b6d7b98968463f3aea6 /samples/OAuthAuthorizationServer/Controllers/OAuthController.cs
parent	6bec41a02764e66581a5eaaaa6980b9124f7ca7b (diff)
download	DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.zip DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.gz DotNetOpenAuth-234cf20e86b0ed1d65bca4a61eabb3277e8562c5.tar.bz2