Add X-Frame-Options in HTTP header to secure NGINX from Clickjacking attack

Clickjacking is well-known web application vulnerabilities.

In my last post, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccess and some of you asked about Nginx.

So here you go…

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

This will prevent site content embedded into other sites.

Did you every try embed Google.com in your website as a frame? You can’t because it’s protected and you can protect it too.

There are three settings for X-Frame-Options:

1. SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
2. DENY: This setting will prevent a page displaying in a frame or iframe.
3. ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

Implementation

• Go to where Nginx is installed and then conf folder
• Take a backup before modifying
• Add the following parameter in nginx.conf under server section

add_header X-Frame-Options "SAMEORIGIN";

• Restart Nginx web server

Verification

You can use web developer tool in the browser to view Response headers. It should look like this.

Alternatively, you can also use HTTP Header online tool to verify this.

I hope this helps. For more on security, check out my Nginx Hardening & Security guide.

This is just one of the hundreds of security fixes for a website. If you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, CloudFlare or Incapsula.