In Apache HTTP and Security Last updated:
Share on:
Jira Software is the #1 project management tool used by agile teams to plan, track, release, and support great software.

Implement X-FRAME-OPTIONS in HTTP headers to prevent Clickjacking attacks

Clickjacking is a well-known web application vulnerabilities.

For example, it was used as an attack on Twitter.

To defense the Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking.

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.

This will prevent site content embedded into other sites.

Did you every try embed Google.com on your website as a frame? You can’t because it’s protected and you can protect it too.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow a page to be displayed in a frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM uri: This setting will allow a page to be displayed only on the specified origin.

Note: – you may also use Content Security Policy header to control how you want your site content to be embed. Refer this article for CSP header.

Implement in Apache, IBM HTTP Server

  • Login to Apache or IHS server
  • Take a backup of a configuration file
  • Add following line in httpd.conf file
Header always append X-Frame-Options SAMEORIGIN
  • Restart the respective webserver to test the application

Implement in Shared Web Hosting

If your website is hosted on shared web hosting, then you won’t have permission to modify httpd.conf.

However, you can achieve this by adding the following line in the .htaccess file.

Header append X-FRAME-OPTIONS "SAMEORIGIN"

Change is reflected immediately without doing any restart.

Verification

You can use any web developer tool to view Response headers. You can also use an online tool – Header Checker to verify.

How did it go?

If you are running an online business, then you may consider using Cloud WAF for all-in-one security protection and monitoring.

Share on:
  • Chandan Kumar
    Author
    Chandan Kumar is a seasoned technology enthusiast and entrepreneur passionate about empowering businesses and individuals globally. As the founder of Geekflare, a leading technology publication, Chandan has spearheaded the development…

Thanks to our Sponsors

More great readings on Apache HTTP

Power Your Business

Some of the tools and services to help your business grow.
  • The text-to-speech tool that uses AI to generate realistic human-like voices.

    Try Murf AI
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.

    Try Brightdata
  • Monday.com is an all-in-one work OS to help you manage projects, tasks, work, sales, CRM, operations, workflows, and more.

    Try Monday
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.

    Try Intruder