To secure yourself against Clickjacking attacks on your Apache web server, you can use X-FRAME-OPTIONS. This option will help you to prevent your website from being attacked by Clickjacking.
The X-Frame-Options in the HTTP response header can be used to indicate whether a browser has permission to open a page in frame or iframe. This will prevent embedding a site content into other sites. For example, you cannot embed Google.com in your website as a frame because it has already the security measures in place.
There are three settings for X-Frame-Options:
- SAMEORIGIN: This means a page must be displayed in a frame on the same origin as the page itself.
- DENY: This setting prevents a page from displaying in a frame or iframe.
- ALLOW-FROM uri: This setting allows a page to be displayed only on the specified origin.
Implement in Apache
- Log in to the Apache or IHS server
- Open Apache Web Server’s httpd.conf file and add the following line in it:
Header always append X-Frame-Options SAMEORIGIN
- Then restart the Apache Web Server.
- Test the application.
Implement in shared web hosting
If your website is hosted on shared web hosting, you will not be able to modify httpd.conf file directly. However, you can implement this setting by adding the following line in .htaccess file.
Header append X-FRAME-OPTIONS "SAMEORIGIN"
In order to view Response headers, you can use any web developer tool and you can also use an online tool – Header Checker to verify.
Congratulations! You have learned How to Secure Apache from Clickjacking Attacks.
If you are facing any problems with the installation, feel free to comment here. We will help you to solve the issue.