Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

Secure Nginx from Clickjacking with X-FRAME-OPTIONS

nginx clickjacking
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Add X-Frame-Options in HTTP header to secure NGINX from Clickjacking attack

Clickjacking is a well-known web application vulnerabilities.

In my last post, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccess and some of you asked about Nginx.

So here you go…

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

This will prevent site content embedded into other sites.

Did you every try embed Google.com on your website as a frame? You can’t because it’s protected and you can protect it too.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

Note: you may also try CSP frame-ancestors to control the content embed.

Implementation

  • Go to where Nginx is installed and then a conf folder
  • Take a backup before modifying
  • Add the following parameter in nginx.conf under server section
add_header X-Frame-Options "SAMEORIGIN";
  • Restart Nginx webserver

Verification

You can use a web developer tool in the browser to view Response headers. It should look like this.

nginx-sameorigin

Alternatively, you can also use HTTP Header online tool to verify this.

I hope this helps. For more on security, check out my Nginx Hardening & Security guide.

This is just one of the hundreds of security fixes for a website. If you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, or Cloudflare.

Thanks to our Sponsors
More great readings on Nginx
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder