Explains the steps required to secure websites and web-based applications from Clickjacking hosted on Apache HTTP Server using the CSP frame-ancestors directive.

How To Secure Apache From Clickjack attack using CSP frame-ancestors
How To Secure Apache From Clickjack attack using CSP frame-ancestors
April 03, 2019

As mentioned in the previous post - How To Secure Apache From Clickjack attack using X-Frame-Options, Clickjacking, also known as UI redress attack is one of the well-known vulnerability of websites and web-based applications. It's used by the attacker to force the user to click without user consent, leading to redirection to unknown websites.

In this post, we will discuss the newer option to prevent the same attack. We can do the same using the HTTP Content-Security-Policy (CSP) frame-ancestors directive by specifying the valid parents to allow embedding of frames using the frame, iframe, object, embed, or applet tags. The older browsers do not support this header directive.

We have discussed the X-FRAME-OPTIONS directive DENY to deny the frames from any origin including the same origin as shown below.

// .htaccess file - within the application directory
Header append X-FRAME-OPTIONS DENY

Similarly, we can do the same using CSP frame-ancestors as shown below.

// Update your .htaccess file or virtual host

Header set Content-Security-Policy "frame-ancestors 'none';"

In the previous post, I have also mentioned the usage of X-FRAME-OPTIONS directive ALLOW-FROM. The same can be implemented using CSP frame-ancestors as shown below.

// Update your .htaccess file or virtual host

Header set Content-Security-Policy "frame-ancestors 'self' <origin 1> <origin 2>;"

The CSP also includes several other directives including allowing scripts from the selected origin as shown below.

// Update your .htaccess file or virtual host

Header set Content-Security-Policy "script-src 'self' <origin 1> <origin 2>;"

Similarly, we can specify the origins specific to CSS, images, etc.

In cases where it's not possible to update the virtual host or htaccess file, we can also do the same by adding a meta tag to the page header as shown below. Using meta tag for frame-ancestors will be ignored by browsers according to the CSP specifications.

<meta http-equiv="Content-Security-Policy" content="script-src 'self' <origin 1> <origin 2>;">

The CSP directives bring a lot of newer options to specify the origins allowed to serve the resources, hence tightening the website security.

Write a Comment

Click on the captcha image to get new code.
Discussion Forum by DISQUS