Secure Apache from Clickjacking with X-FRAME-OPTIONS

secure-apache
Apache Security

Clickjacking is well known web application vulnerabilities. For example, it was used as an attack on Twitter. To defense Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking.

The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. This will prevent site content embedded into other sites. Did you ever tried embedding Google.com in your website as frame? You can’t because it’s protected and you can protect your’s too.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow page to be displayed in frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM uri: This setting will allow page to be displayed only on the specified origin.

How to implement in Apache, IBM HTTP Server?

Add following line in Apache Web Server’s httpd.conf file

Header always append X-Frame-Options SAMEORIGIN

Restart Apache Web Server

Note: This implementation is applicable in IBM HTTP Server as well. You can add above Header parameter in httpd.conf of your IBM HTTP Server instance.

How to implement in shared web hosting?

If your website is hosted on shared web hosting then you won’t have permission to modify httpd.conf. However, you can implement this by adding following line in .htaccess file.

Header append X-FRAME-OPTIONS "SAMEORIGIN"

How to verify the implementation?

You can use any web developer tool to view Response headers and ensure you see following. You can also use online tool – Header Checker to verify.

X Frame Options

Originally posted on http://chandank.com/webservers/apache/secure-apache-from-clickjacking-with-x-frame-options

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s