Iframe and php_include

Sluwe · November 8, 2020, 9:15pm

Hello,

I am new here, and hopefully i get some answers and can fix this issue.
I have an iframe with <?php header('X-Frame-Options: DENY'); ?> so the iframe cant be used on other domains.
I have made an test to see the deny function is working…
http://www.footy.to/iframe.php , the iframe is at other domain and cant be use due the deny function, but now i am curious how to stop this when people using this technic

<?php include("http://www.mydomain.co/frame.php"); ?>

They are bypassing the deny option and the iframe is visible here
http://www.footy.to/14.php

how can i stop them to include stuff from my site or bypass the deny option.

Any help will be appreciated.

Thanks In advance

skawid · November 9, 2020, 11:27am

There’s no guaranteed way to do this; the content of your iframe is public on the internet. X-Frame-Options is used for security rather than to control access to content.

Is this page supposed to be behind a login, or do you just not want other people iframing your content?

benanamen · November 9, 2020, 4:10pm

X frames is a server setting not a code setting. You have it in the wrong place. Optimally you need to put it in the server config file. If you do not have access to that then it goes in htaccess.

Sluwe · November 9, 2020, 4:33pm

Hello ,

Thanks for reply,

I just dont want others use the content, for what i am doing on my site he will consume alot bandwith where i pay for

Sluwe · November 9, 2020, 4:35pm

Hello,

I tried this into .htaccess, but it seems lightspeed work different then apache.
I can block using my scripts, but then i block my own domain too.
I need to ask host if i have access to lightspeed settings

skawid · November 10, 2020, 9:41am

There’s a couple of things you can do to make it harder for other sites to load your content. As I said before these aren’t 100% effective, but it will stop any casual attempts:

In your iframed code, check $_SERVER['HTTP_REFERER'] and $_SERVER['HTTP_USER_AGENT']. HTTP_REFERER will be the URL of your main page for iframe requests, and HTTP_USER_AGENT should only exist if the request came from a browser. It is possible to spoof these values though.
Protect your iframe by requiring a token that only your main page knows. Alter your main page to open the iframe as http://www.footy.to/iframe.php?secret=[some token]. [some token] should be a random string that you generate for every request to your main page, and store in your back end. Your iframe can then check that [some token] is correct, and refuse to render if it isn’t. It’s possible to spoof this as well.

Sluwe · November 10, 2020, 8:55pm

Hey,

I will try this solution.
Thanks for answer!!