Secure Nginx from Clickjacking with X-FRAME-OPTIONS

Netsparker Web Application Security Scanner - the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Add X-Frame-Options in HTTP header to secure NGINX from Clickjacking attack

Clickjacking is a well-known web application vulnerabilities.

In my last post, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccess and some of you asked about Nginx.

So here you go…

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

This will prevent site content embedded into other sites.

Did you every try embed Google.com on your website as a frame? You can’t because it’s protected and you can protect it too.

There are three settings for X-Frame-Options:

SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
DENY: This setting will prevent a page displaying in a frame or iframe.
ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

Note: you may also try CSP frame-ancestors to control the content embed.

Implementation

Go to where Nginx is installed and then a conf folder
Take a backup before modifying
Add the following parameter in nginx.conf under server section

add_header X-Frame-Options "SAMEORIGIN";

Restart Nginx webserver

Verification

You can use a web developer tool in the browser to view Response headers. It should look like this.

Alternatively, you can also use HTTP Header online tool to verify this.

I hope this helps. For more on security, check out my Nginx Hardening & Security guide.

This is just one of the hundreds of security fixes for a website. If you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, or Cloudflare.

Power Your Business

Netsparker

Netsparker uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities with proof of exploit, thus making it possible to scan thousands of web applications and generate actionable results within just hours.

Try Netsparker

Kinsta

Probably the best managed WordPress cloud platform to host small to enterprise sites. Kinsta leverages Google's low latency network infrastructure to deliver content faster. Free SSL, CDN, backup and a lot more with outstanding support. You'll love it.

Try Kinsta

Sucuri

A global CDN and cloud-based web application firewall for your website to supercharge the performance and secure from online threats. SUCURI WAF protects from OWASP top 10 vulnerabilities, brute force, DDoS, malware, and more.

Try Sucuri

Secure Nginx from Clickjacking with X-FRAME-OPTIONS

Implementation

Verification

More Great Reading on Geekflare

Indian Government Audits Security Loopholes in National Payment Corps

GitHub Archives Its Open Source Codes in an Arctic Vault

Crypto and Docker Receive Botnet Abuses for Doki Backdoor

What is a Network Firewall and How it helps to Stop Attacks?

BootHole Bug challenges Windows and Linux systems

What is Firewall? – An Introduction Guide

Power Your Business

Choosing the right product and service is essential to run an online business. Here are some of the tools and services to help your business grow.

Netsparker

Kinsta

Sucuri