• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • Add X-Frame-Options in HTTP header to secure NGINX from Clickjacking attack

    Clickjacking is a well-known web application vulnerabilities.

    In my last post, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccess and some of you asked about Nginx.

    So here you go…

    The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

    This will prevent site content embedded into other sites.

    Did you every try embed Google.com on your website as a frame? You can’t because it’s protected and you can protect it too.

    There are three settings for X-Frame-Options:

    1. SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
    2. DENY: This setting will prevent a page displaying in a frame or iframe.
    3. ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

    Note: you may also try CSP frame-ancestors to control the content embed.


    • Go to where Nginx is installed and then a conf folder
    • Take a backup before modifying
    • Add the following parameter in nginx.conf under server section
    add_header X-Frame-Options "SAMEORIGIN";
    • Restart Nginx webserver


    You can use a web developer tool in the browser to view Response headers. It should look like this.

    Alternatively, you can also use HTTP Header online tool to verify this.

    I hope this helps. For more on security, check out my Nginx Hardening & Security guide.

    This is just one of the hundreds of security fixes for a website. If you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, or Cloudflare.