Content theft via iframes and clickjacking attacks poses major security risks to modern websites. By implementing a Content-Security-Policy
Copy
Search Site
Search Google
(CSP) header with the frame-ancestors
Copy
Search Site
Search Google
directive inside your web.config
Copy
Search Site
Search Google
file, you can explicitly dictate which domains are legally allowed to embed your pages. This action ensures only your trusted websites can display your content, while completely blocking unauthorized external sites.
Web.Config - Content-Security-Policy
[ASP.NET - Web.config (Content-Security-Policy)]
CFFCS | CarrzSynEdit: | ASP.NET (VB/C#)
<configuration>
  <system.webServer>
    <httpProtocol>
      <customHeaders>
        <remove name="Content-Security-Policy" />
        <add name="Content-Security-Policy" value="frame-ancestors 'self' https://yourdomain.com https://*.anotherdomain.net;" />
      </customHeaders>
    </httpProtocol>
  </system.webServer>
</configuration>

IIS Global Settings for All websites
You can also set this globally.
  1. Open IIS
  2. Click on the Server Node
  3. Open HTTP Response Headers
  4. Click Add
  5. [ASP.NET - Content-Security-Policy]
    CFFCS | CarrzSynEdit: | ASP.NET (VB/C#)
    Name: Content-Security-Policy
    Value: frame-ancestors 'self' https://yourdomain.com https://yourotherdomain https://*.yourdomain.com https://*.yourotherdomain

    Add as many websites as you wish, all separated with a single space.
  6. Click OK
Using a shared file.

Create a text file listing the websites you want to allow access to the content.
Value: frame-ancestors 'self' https://yourdomain.com
Save it as csp-header.txt
In IIS for each website, Right-click and add a Virtual Folder.
Point to the Shared folder location.
Then, inside a Global.asax
Copy
Search Site
Search Google
file, you can add it there.
[ASP.NET - Global.asax]
CFFCS | CarrzSynEdit: | ASP.NET (VB/C#)
string cspPath = HostingEnvironment.MapPath("~/Syntax/csp-header.txt");
string cspValue = System.IO.File.ReadAllText(cspPath);
HttpContext.Current.Response.AddHeader("Content-Security-Policy", cspValue);

Other Articles Related to this Entry.How to Prevent Image Hotlinking and Bandwidth Theft in IIS Using URL Rewrite«