Clickjacking, also known as UI redress attack is one of the well-known vulnerability of websites and web-based applications. It's used by the attacker to force the user to click without user consent, leading to redirection to unknown websites.
This tutorial explains the steps required to secure the websites and web-based applications from Clickjacking by using the X-Frame-Options header directives. The directives provide instructions to browsers to allow or disallow iframes, preventing content from other sites.
The possible directives available with X-Frame-Options are listed below. These can be added either to the
You must enable headers module in order to use these directives using below mentioned commands on Debian systems.
# Enable headers module
sudo a2enmod headers
# Restart Apache
sudo service apache2 restart
The same can be enabled from WampServer installed on Windows as shown in Fig 1.
Fig 1
SAMEORIGIN
Allow iframes from the same origin i.e. the same Apache server used to host the website.
# httpd.conf - Add same origin policy to allow iframes from same server and restart the server
Header always append X-Frame-Options SAMEORIGIN
# .htaccess file - within the application directory
Header append X-FRAME-OPTIONS SAMEORIGIN
DENY
It blocks displaying the page in an iframe from both same origin or from a different origin.
// .htaccess file - within the application directory
Header append X-FRAME-OPTIONS DENY
Another way to completely block iframe opening other website content is as shown below.
// Add to htaccess file
Header always unset X-Frame-Options
ALLOW-FROM
It allows specific sites to be opened in an iframe. It accepts comma separated links. This option is not supported by some of the very old browsers. It can be used as shown below.
// .htaccess file - within the application directory
Header append X-FRAME-OPTIONS ALLOW-FROM <origin 1>, <origin 2>
These are the possible options provided by X-Frame-Options to either allow or disallow frames opening content from other sites.
