We had a third-party security audit and they found a bunch of things that needed to be corrected. We fixed all of them, except for one. They claim we still have a problem with Cross Frame Scripting and clickjacking. The test put out login page within a frame in a page on a completely different website, which could be exploited. While it is considered a low threat, my boss wants me to resolve this.
What we did originally was put this in the web.config:
<system.webServer>
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
</system.webServer>
Apparently this doesn't cut it. I've looked at other solutions but all I could find was to put JavaScript on every page (in our case in the MasterPage) that checks the frame origin, but I thought something like above would be a better solution. Has anyone found a solution for this problem?