In the digital era, website security has become a paramount concern for developers and administrators alike. Among the myriad of security measures available, configuring HTTP headers to protect against clickjacking attacks is crucial. One such header is X-Frame-Options, which controls whether a browser should allow a page to be framed or iframed. This article provides a comprehensive step-by-step guide on how to configure X-Frame-Options in Apache, one of the most popular web servers in use today.
What is Clickjacking?
Clickjacking is a malicious technique to deceive a user into clicking on something different from what the user perceives, potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocent web pages. It involves embedding a page as a frame within another page, thus tricking a user into a click that was intended for the page on top but actually goes to the embedded page.
The Role of X-Frame-Options
The X-Frame-Options HTTP response header can help mitigate this risk by instructing the browser whether it is allowed to render a page in a <frame>
, <iframe>
, <embed>
, or <object>
. There are three possible values for X-Frame-Options:
- DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so.
- SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.
- ALLOW-FROM uri: The page can only be displayed in a frame on the specified origin.
Configuring X-Frame-Options in Apache
Step 1: Access the Apache Configuration File
To begin, you need to access your Apache server’s configuration file. This is usually found in /etc/apache2/httpd.conf or /etc/apache2/apache2.conf on Unix/Linux systems or C:\Apache24\conf\httpd.conf on Windows systems. The location and name of the file might vary depending on your Apache installation and operating system.
Step 2: Edit the Configuration File
Open the configuration file with your preferred text editor. You need to add the appropriate directive to set the X-Frame-Options header. This can be done by using the Header directive, which is part of the mod_headers module. Ensure that this module is enabled in your Apache configuration.
Step 3: Set the X-Frame-Options Value
Insert the following line into your configuration file to set the X-Frame-Options header:
- To prevent any domain from framing your content, add:
Header always set X-Frame-Options "DENY"
- To allow only your own domain to frame content, use:
Header always set X-Frame-Options "SAMEORIGIN"
If you need to allow a specific domain to frame your content, Apache does not directly support the ALLOW-FROM directive. Instead, you can use Content Security Policy (CSP) with the frame-ancestors directive, which offers more flexibility and is recommended over ALLOW-FROM.
Step 4: Restart Apache
After making changes to the configuration file, save your changes and restart the Apache server to apply them. This can typically be done with the following command on Unix/Linux systems:
sudo systemctl restart apache2
Or, on Windows systems, by restarting the Apache service through the Services management console.
Step 5: Test Your Configuration
Finally, it’s essential to test your website to ensure that the X-Frame-Options header is being sent correctly. You can use browser developer tools or online tools to inspect the HTTP headers received by your browser when accessing your website.
Setting Up X-Frame-Options with .htaccess
In shared hosting environments where modifying the Apache configuration directly isn’t possible, you can use a .htaccess file in your document root for similar effects:
Header append X-Frame-Options "DENY"
Create or edit the .htaccess file and add the above line to enforce the X-Frame-Options policy, effectively protecting your site from clickjacking within the constraints of shared hosting.
Conclusion
Configuring the X-Frame-Options header in Apache is a straightforward yet powerful step in securing your website against clickjacking attacks. By following this guide, you can enhance your website’s security posture and protect your users from potential threats. Remember, security is an ongoing process, and keeping your server configurations up to date is vital in the ever-evolving landscape of web security.
3 Comments
Very helpful, thank you. Note that if you are running SSL (on Debian 9, at least), you will need to change X-Frame-Options in *both* the following files:
/etc/apache2/conf-available/security.conf
/etc/apache2/conf-available/ssl-params.conf
Otherwise you will get an error similar to the following (in the chrome console):
Refused to display ‘*****’ in a frame because it set multiple ‘X-Frame-Options’ headers with conflicting values (‘DENY, SAMEORIGIN’). Falling back to ‘deny’.
Thanks, it works for me.
Very useful, thank you.
On ubuntu 18.04 it is:
/etc/apache2/conf-available/security.conf