How To Secure Apache From Clickjack attack using X-Frame-Options

Clickjacking, also known as UI redress attack is one of the well-known vulnerability of websites and web-based applications. It's used by the attacker to force the user to click without user consent, leading to redirection to unknown websites.

This tutorial explains the steps required to secure the websites and web-based applications from Clickjacking by using the X-Frame-Options header directives. The directives provide instructions to browsers to allow or disallow iframes, preventing content from other sites.

The possible directives available with X-Frame-Options are listed below. These can be added either to the httpd .conf file, the virtual host file or to the htaccess file placed at the root of the application directory.

You must enable headers module in order to use these directives using below mentioned commands on Debian systems.

# Enable headers module

sudo a2enmod headers



# Restart Apache

sudo service apache2 restart

The same can be enabled from WampServer installed on Windows as shown in Fig 1.

Fig 1

SAMEORIGIN

Allow iframes from the same origin i.e. the same Apache server used to host the website.

# httpd.conf - Add same origin policy to allow iframes from same server and restart the server



Header always append X-Frame-Options SAMEORIGIN



# .htaccess file - within the application directory



Header append X-FRAME-OPTIONS SAMEORIGIN

DENY

It blocks displaying the page in an iframe from both same origin or from a different origin.

// .htaccess file - within the application directory

Header append X-FRAME-OPTIONS DENY

Another way to completely block iframe opening other website content is as shown below.

// Add to htaccess file

Header always unset X-Frame-Options

ALLOW-FROM





It allows specific sites to be opened in an iframe. It accepts comma separated links. This option is not supported by some of the very old browsers. It can be used as shown below.

// .htaccess file - within the application directory

Header append X-FRAME-OPTIONS ALLOW-FROM <origin 1>, <origin 2>

These are the possible options provided by X-Frame-Options to either allow or disallow frames opening content from other sites.