In Nginx and Security Last updated:
Share on:
Cloudways offers managed cloud hosting for any size business to host a website or complex web applications.

Add X-Frame-Options in HTTP header to secure NGINX from Clickjacking attack

Clickjacking is a well-known web application vulnerabilities.

In my last post, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccess and some of you asked about Nginx.

So here you go…

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

This will prevent site content embedded into other sites.

Did you every try embed Google.com on your website as a frame? You can’t because it’s protected and you can protect it too.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow the page to be displayed in a frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM URI: This setting will allow a page to be displayed only on the specified origin.

Note: you may also try CSP frame-ancestors to control the content embed.

Implementation

  • Go to where Nginx is installed and then a conf folder
  • Take a backup before modifying
  • Add the following parameter in nginx.conf under server section
add_header X-Frame-Options "SAMEORIGIN";
  • Restart Nginx webserver

Verification

You can use a web developer tool in the browser to view Response headers. It should look like this.

nginx-sameorigin

Alternatively, you can also use HTTP Header online tool to verify this.

I hope this helps. For more on security, check out my Nginx Hardening & Security guide.

This is just one of the hundreds of security fixes for a website. If you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, or Cloudflare.

Share on:
  • Chandan Kumar
    Author
    Chandan Kumar is a seasoned technology enthusiast and entrepreneur passionate about empowering businesses and individuals globally. As the founder of Geekflare, a leading technology publication, Chandan has spearheaded the development…

Thanks to our Sponsors

More great readings on Nginx

Power Your Business

Some of the tools and services to help your business grow.
  • The text-to-speech tool that uses AI to generate realistic human-like voices.

    Try Murf AI
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.

    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.

    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.

    Try Intruder