The X-Frame clickjacking header Apache config

Posted under » Apache » LAMP Security on 01 October 2014

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:

Header set X-Frame-Options: "sameorigin"

Under options, if you specify DENY, not only will attempts to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify SAMEORIGIN, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.

For Apache 2.4.7 and later, you can uncomment the option under /conf-available/security.conf

However, this will not work until you load/enable the headers module. If you receive this error message .. "Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration" then you have to do this first.

ln -s /etc/apache2/mods-available/headers.load /etc/apache2/mods-enabled/headers.load

Then restart Apache.

web security linux ubuntu python django git Raspberry apache mysql php drupal cake javascript css AWS