Explains the way to secure websites and web-based applications from Clickjacking hosted on Apache HTTP Server using the Header option X-Frame-Options.

How To Secure Apache From Clickjack attack using X-Frame-Options
How To Secure Apache From Clickjack attack using X-Frame-Options
April 01, 2019

Clickjacking, also known as UI redress attack is one of the well-known vulnerability of websites and web-based applications. It's used by the attacker to force the user to click without user consent, leading to redirection to unknown websites.

This tutorial explains the steps required to secure the websites and web-based applications from Clickjacking by using the X-Frame-Options header directives. The directives provide instructions to browsers to allow or disallow iframes, preventing content from other sites.

The possible directives available with X-Frame-Options are listed below. These can be added either to the httpd.conf file, the virtual host file or to the htaccess file placed at the root of the application directory.

You must enable headers module in order to use these directives using below mentioned commands on Debian systems.

# Enable headers module
sudo a2enmod headers

# Restart Apache
sudo service apache2 restart

The same can be enabled from WampServer installed on Windows as shown in Fig 1.

Headers Module

Fig 1

SAMEORIGIN

Allow iframes from the same origin i.e. the same Apache server used to host the website.

// httpd.conf - Add same origin policy to allow iframes from same server and restart the server
Header always append X-Frame-Options SAMEORIGIN

// .htaccess file - within the application directory
Header append X-FRAME-OPTIONS SAMEORIGIN

DENY

It blocks displaying the page in an iframe from both same origin or from a different origin.

// .htaccess file - within the application directory
Header append X-FRAME-OPTIONS DENY

Another way to completely block iframe opening other website content is as shown below.

// Add to htaccess file
Header always unset X-Frame-Options

ALLOW-FROM

It allows specific sites to be opened in an iframe. It accepts comma separated links. This option is not supported by some of the very old browsers. It can be used as shown below.

// .htaccess file - within the application directory
Header append X-FRAME-OPTIONS ALLOW-FROM <origin 1>, <origin 2>

These are the possible options provided by X-Frame-Options to either allow or disallow frames opening content from other sites.

Write a Comment

Click on the captcha image to get new code.
Discussion Forum by DISQUS