The X-Frame-Options in used as HTTP response header. This prevents your site content embedded into other sites. Based on this value a browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.
There are three options available to set with X-Frame-Options:
- ‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
- ‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
- ‘DENY – This will not allow any website to embed your site pages in an iframe.
Setup X-Frame-Options with Apache Configuration
Edit Apache configuration file based on your operating system. The configuration file can be found:
Debian based systems: /etc/apache2/conf-enabled/security.conf
Redhat based systems: /etc/httpd/conf/httpd.conf
Now add one of the following entry to file:
Allow for Same Origin (Default Action)
Header set X-Frame-Options: "SAMEORIGIN"
Allow from specific origin
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/" Header set X-Frame-Options: "ALLOW-FROM https://example.com/" Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/"
Deny to everyone
Header set X-Frame-Options: "DENY"
Save the configuration file and restart Apache service to apply changes.
Setup X-Frame-Options with .htaccess
The websites running over shared hosting environment, You may not have privileges to modify Apache configuration. In this case, you can create .htaccess file on document root and append the same settings as above:
Header append X-Frame-Options: "SAMEORIGIN"
Very helpful, thank you. Note that if you are running SSL (on Debian 9, at least), you will need to change X-Frame-Options in *both* the following files:
Otherwise you will get an error similar to the following (in the chrome console):
Refused to display ‘*****’ in a frame because it set multiple ‘X-Frame-Options’ headers with conflicting values (‘DENY, SAMEORIGIN’). Falling back to ‘deny’.
Thanks, it works for me.
Very useful, thank you.
On ubuntu 18.04 it is: