Add X-Frame-Options in HTTP header to secure NGINX from Clickjacking attack
Clickjacking is well-known web application vulnerabilities. In my last article, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccess. In this article, I will talk about how to do the same in Nginx web server.
The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. This will prevent site content embedded into other sites. Did you every try embed Google.com in your website as a frame? You can’t because it’s protected and you can protect it too.
There are three settings for X-Frame-Options:
- SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
- DENY: This setting will prevent a page displaying in a frame or iframe.
- ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.
How to implement in Nginx?
- Go to Nginx/conf folder
- Add the following parameter in nginx.conf under server section
add_header X-Frame-Options "SAMEORIGIN";
- Restart Nginx web server
How to verify the implementation?
You can use any web developer tool to view Response headers and ensure you see following. Alternatively, you can use HTTP Header online tool to verify this.
This is just one of the hundreds of security fixes for a website. if you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, CloudFlare or Incapsula.