How To Secure Apache From Clickjack attack using CSP frame-ancestors

How To Secure Apache From Clickjack attack using CSP frame-ancestors

Explains the steps required to secure websites and web-based applications from Clickjacking hosted on Apache HTTP Server using the CSP frame-ancestors directive.

April 03, 2019

As mentioned in the previous post - How To Secure Apache From Clickjack attack using X-Frame-Options, Clickjacking, also known as UI redress attack is one of the well-known vulnerability of websites and web-based applications. It's used by the attacker to force the user to click without user consent, leading to redirection to unknown websites.

In this post, we will discuss the newer option to prevent the same attack. We can do the same using the HTTP Content-Security-Policy (CSP) frame-ancestors directive by specifying the valid parents to allow embedding of frames using the frame, iframe, object, embed, or applet tags. The older browsers do not support this header directive.

We have discussed the X-FRAME-OPTIONS directive DENY to deny the frames from any origin including the same origin as shown below.

// .htaccess file - within the application directory
Header append X-FRAME-OPTIONS DENY

Similarly, we can do the same using CSP frame-ancestors as shown below.

// Update your .htaccess file or virtual host

Header set Content-Security-Policy "frame-ancestors 'none';"




In the previous tutorial, I have also mentioned the usage of X-FRAME-OPTIONS directive ALLOW-FROM. The same can be implemented using CSP frame-ancestors as shown below.




// Update your .htaccess file or virtual host

Header set Content-Security-Policy "frame-ancestors 'self' <origin 1> <origin 2>;"




The CSP also includes several other directives including allowing scripts from the selected origin as shown below.




// Update your .htaccess file or virtual host

Header set Content-Security-Policy "script-src 'self' <origin 1> <origin 2>;"




Similarly, we can specify the origins specific to CSS, images, etc.




In cases where it's not possible to update the virtual host or htaccess file, we can also do the same by adding a meta tag to the page header as shown below. Using meta tag for frame-ancestors will be ignored by browsers according to the CSP specifications.




<meta http-equiv="Content-Security-Policy" content="script-src 'self' <origin 1> <origin 2>;">




The CSP directives bring a lot of newer options to specify the origins allowed to serve the resources, hence tightening the website security.



						
			

						

					

			

			

				
Write a Comment

			

		

		

		

			
			

							

					

												
						
					

					

												
						
					

					

												
						
					

									

				

				

					

												
						
					

											

							 							
Click the captcha image to get new code.

							
						

									

						

			

				
			

			

				

				

				

			

		

	




					

	

		
Discussion Forum by DISQUS

		

		

	

				

									

							

		





			

										
	

		





			

										

	

 




	








		

		

													
Recent Posts

					

	

		

										




			

			

			

			

				
			

		

		

		

			How To Change The WWW Root Directory On WampServer
		

	





			

			

				
			

		

		

		

			How To Enable HTTP 2 On Apache Web Server
		

	





			

			

				
			

		

		

		

			Hide or Remove php or html File Extension Using htaccess
		

	





			

			

				
			

		

		

		

			How To Enable TLS 1.2 and TLS 1.3 in Apache Web Server
		

	





			

			

				
			

		

		

		

			Outlook Autodiscover Using Apache Virtual Host