Clickjacking is a kind of attack that deceives a web user into interacting (in most cases by clicking) with something different to what the user wants. This attack could send unauthorized commands or reveal user confidential information while the victim interacts with the web pages that the user thinks are not harmful.

To secure yourself against Clickjacking attacks on your Apache web server, you can use X-FRAME-OPTIONS. This option will help prevent your website from being attacked by Clickjacking.

The X-Frame-Options in the HTTP response header can indicate whether a browser has permission to open a page in frame or iframe. This will prevent embedding site content into other sites. For example, you cannot embed in your website as a frame because it has already the security measures in place.

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: A page must be displayed in a frame of the same origin as the page itself.
  2. DENY: This setting prevents a page from displaying in a frame or iframe.
  3. ALLOW-FROM URI: This setting allows a page to be displayed only on the specified origin.

Implement in Apache

  • Log in to the Apache or IHS server
  • Open Apache Web Server’s httpd.conf file and add the following line in it:

Header always append X-Frame-Options SAMEORIGIN

  • Then restart the Apache Web Server.
  • Test the application.

Implement shared web hosting

If your website is hosted on shared web hosting, you will not be able to modify httpd.conf file directly. However, you can implement this setting by adding the following line in the .htaccess file.



To view Response headers, you can use any web developer tool, and you can also use an online tool – Header Checker, to verify.


Congratulations! You have learned How to Secure Apache from Clickjacking Attacks. If you are facing any problems with the installation, feel free to comment here. We will help you to solve the issue.

People also read: