
Secure Nginx from Clickjacking with X-FRAME-OPTIONS


Add X-Frame-Options in HTTP header to secure NGINX from Clickjacking attack
Clickjacking is a well-known web application vulnerabilities.
In my last post, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccessย and some of you asked about Nginx.
So here you go…
Theย X-Frame-Optionsย in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.
This will prevent site content embedded into other sites.
Did you every try embed Google.com on your website as a frame? You canโt because itโs protected and you can protect it too.
There are three settings for X-Frame-Options:
- SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
- DENY: This setting will prevent a page displaying in a frame or iframe.
- ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.
Note: you may also try CSP frame-ancestors to control the content embed.
Implementation
- Go to where Nginx is installed and then a conf folder
- Take a backup before modifying
- Add the following parameter in
nginx.conf
under server section
add_header X-Frame-Options "SAMEORIGIN";
- Restart Nginx webserver
Verification
You can use a web developer tool in the browser to view Response headers. It should look like this.
Alternatively, you can also use HTTP Header online tool to verify this.
I hope this helps. For more on security,ย check out my Nginx Hardening & Security guide.
This is just one of the hundreds of security fixes for a website. If you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, or Cloudflare.
More great readings on Nginx
-
How to Redirect AMP Page to Non-AMP in Nginx, Apache, Cloudflare?Abhishek Nair on September 27, 2021
-
How to Block .git in Apache, Nginx and Cloudflare?Chandan Kumar on October 27, 2020
-
How to Protect Page with Password in Apache, Nginx, WordPress, Hosting?Chandan Kumar on September 11, 2020
-
How to Implement ZeroSSL Certificate in Apache and Nginx?Asad Ali on May 24, 2020
-
Configuring Nginx for Performance and SecurityMichael Aboagye on February 24, 2020
-
How to Enable CORS in Apache and Nginx?Chandan Kumar on October 18, 2019
Join Geekflare Newsletter
Every week we shareย trending articlesย andย toolsย in our newsletter. More than 10,000 people enjoy reading, and you will love it too.