Additional menu

Secure Apache from Clickjacking with X-FRAME-OPTIONS

Secure Apache from Clickjacking with X-FRAME-OPTIONS

Implement X-FRAME-OPTIONS in HTTP headers to prevent Clickjacking attacks

Clickjacking is well-known web application vulnerabilities.

For example, it was used as an attack on Twitter.

To defense Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking.

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

This will prevent site content embedded into other sites.

Did you every try embed on your website as a frame? You can’t because it’s protected and you can protect it too.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow a page to be displayed in a frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM uri: This setting will allow a page to be displayed only on the specified origin.

Implement in Apache, IBM HTTP Server

  • Login to Apache or IHS server
  • Take a backup of configuration file
  • Add following line in httpd.conf file
Header always append X-Frame-Options SAMEORIGIN
  • Restart respective web server to test the application

Implement in Shared Web Hosting

If your website is hosted on shared web hosting, then you won’t have permission to modify httpd.conf.

However, you can achieve this by adding following line in .htaccess file.


Change is reflected immediately without doing any restart.


You can use any web developer tool to view Response headers. You can also use an online tool – Header Checker to verify.

How did it go?

If you are running an online business, then you may consider using Cloud WAF for all-in-one security protection and monitoring.

Reader Interactions

Chandan Kumar
About Chandan
Chandan Kumar is the founder and editor of Geek Flare. Learn more here and connect with him on Twitter.


  1. Hi Chandan

    added the below code in httpd.conf file but still could not see x-frame-options in response header in browser.
    apache server used : httpserver_2.4.27

    Header always append X-Frame-Options SAMEORIGIN

  2. Hi,
    Thanks for the info! 🙂
    I have one question. Would it be possible to provide mor than one uri for the option 3:
    “ALLOW-FROM uri: This setting will allow page to be displayed only on the specified origin.”

    I need at least 2 servers to make it work.

    Kind regards,

  3. Hi Chandan – Thanks for the posting this article.
    Do you know a way to implement X-FRAME-OPTIONS on Tomcat running on Windows?

  4. We (found the ‘Header Checker’ tool very useful as it
    (1) showed that three Apache servers was using DENY instead of SAMEORIGIN and
    (2) that PHP versions were ranging from PHP/5.4.16 – PHP/5.4.28

Leave a Reply

Your email address will not be published. Required fields are marked *