Clickjacking is a kind of attack that deceives a web user to interact (in most cases by clicking) with something different to what the user wants. This type of attack could potentially send unauthorized commands or reveal user confidential information while the victim is interacting with the web pages that user things are not harmful. To defense Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS. This option will help you to prevent your website from being hacked from Clickjacking.
The X-Frame-Options in HTTP response header can be used to indicate whether a browser has permission to open a page in frame or iframe. This will prevent from embedding a site content into other sites. For example you can not embed Google.com in your website as frame because it’s protected.
There are three settings for X-Frame-Options:
- SAMEORIGIN: This means a page must be displayed in frame on the same origin as the page itself.
- DENY: This setting prevents a page from displaying in a frame or iframe.
- ALLOW-FROM uri: This setting allows a page to be displayed only on the specified origin.
Implement in Apache
Open Apache Web Server’s httpd.conf file and add following line in it:
Header always append X-Frame-Options SAMEORIGIN
Then restart Apache Web Server.
Implement in shared web hosting
If your website is hosted on shared web hosting, you can’t modify httpd.conf file. You can implement this setting by adding following line in .htaccess file.
Header append X-FRAME-OPTIONS "SAMEORIGIN"
In order to view Response headers, you can use any web developer tool and you can also use an online tool – Header Checker to verify.
Congratulations! You have learned How to Secure Apache from Clickjacking Attack.
If you are facing any problem with the installation, feel free to comment here. We will help you to solve the issue.