I don’t know why it’s taken me this long to add anti-clickjacking support, but I finally needed it myself today so I added it to Thinktecture IdentityModel. If you’re not familiar with clickjacking, it’s an attack where your HTML is loaded into an <iframe> and the end user is tricked into clicking links or buttons in you app without their knowledge. To thwart clickjacking each of your pages needs to emit an X-Frame-Options HTTP response header to inform the browser your application’s requirements for running in an <iframe>.

To emit the X-Frame-Options HTTP response header I devised a FrameOptionsAttribute MVC response filter class. To protect a page in MVC you’d simply apply the [FrameOptions] attribute to a controller or action method and the filter will emit the X-Frame-Options header. By default DENY is emitted (the most restrictive/secure option), but the constructor overloads allow other options. Here are a…