Facebook Twitter Instagram
    TecAdmin
    • Home
    • FeedBack
    • Submit Article
    • About Us
    Facebook Twitter Instagram
    TecAdmin
    You are at:Home»Web Servers»Apache»How to Configure X-Frame-Options in Apache

    How to Configure X-Frame-Options in Apache

    By RahulApril 15, 20202 Mins Read

    The X-Frame-Options in used as HTTP response header. This prevents your site content embedded into other sites. Based on this value a browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.

    Advertisement

    There are three options available to set with X-Frame-Options:

    • ‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
    • ‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
    • ‘DENY – This will not allow any website to embed your site pages in an iframe.

    Setup X-Frame-Options with Apache Configuration

    Edit Apache configuration file based on your operating system. The configuration file can be found:

    Debian based systems: /etc/apache2/conf-enabled/security.conf
    Redhat based systems: /etc/httpd/conf/httpd.conf

    Now add one of the following entry to file:

    • Allow for Same Origin (Default Action)

      Header set X-Frame-Options: "SAMEORIGIN"
      
    • Allow from specific origin

      Header set X-Frame-Options: "ALLOW-FROM http://example.com/" 
      Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/" 
      Header set X-Frame-Options: "ALLOW-FROM https://example.com/" 
      Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/" 
      
    • Deny to everyone

      Header set X-Frame-Options: "DENY"
      

    Save the configuration file and restart Apache service to apply changes.

    Setup X-Frame-Options with .htaccess

    The websites running over shared hosting environment, You may not have privileges to modify Apache configuration. In this case, you can create .htaccess file on document root and append the same settings as above:

    Header append X-Frame-Options: "SAMEORIGIN"
    

    Apache Headers
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email WhatsApp

    Related Posts

    How to Install Apache CouchDB on Ubuntu & Debian

    Nginx vs. Apache: Comparing the Two Leading Web Servers

    Nginx vs. Apache: Comparing the Two Leading Web Servers

    How to Set Up Apache, MySQL, and PHP on macOS: A Comprehensive Guide

    View 3 Comments

    3 Comments

    1. Biker Mike on October 1, 2021 9:51 am

      Very helpful, thank you. Note that if you are running SSL (on Debian 9, at least), you will need to change X-Frame-Options in *both* the following files:

      /etc/apache2/conf-available/security.conf
      /etc/apache2/conf-available/ssl-params.conf

      Otherwise you will get an error similar to the following (in the chrome console):

      Refused to display ‘*****’ in a frame because it set multiple ‘X-Frame-Options’ headers with conflicting values (‘DENY, SAMEORIGIN’). Falling back to ‘deny’.

      Reply
      • Lokesh Bhandari on December 17, 2021 11:33 am

        Thanks, it works for me.

        Reply
    2. Rod Graham on April 13, 2021 5:15 pm

      Very useful, thank you.

      On ubuntu 18.04 it is:

      /etc/apache2/conf-available/security.conf

      Reply

    Leave A Reply Cancel Reply

    Advertisement
    Recent Posts
    • A Comprehensive Look at the Simple Mail Transfer Protocol (SMTP)
    • Understanding Basic Git Workflow: Add, Commit, Push
    • The Difference Between Git Reset –soft, –mixed, and –hard
    • Understanding the Staging Area in Git’s Workflow
    • Python Function with Parameters, Return and Data Types
    Facebook Twitter Instagram Pinterest
    © 2023 Tecadmin.net. All Rights Reserved | Terms  | Privacy Policy

    Type above and press Enter to search. Press Esc to cancel.