Apache: Using X-Frame-Options To Evade Click-Jacking

Click-Jacking. It tells you all about it on the Wikipedia article.

This posting is about how to avoid security scans telling you to disable click-jacking, if you are using the Apache web server software. If you’re using IIS, you are on your own for now (but searching for “IIS X-Frame-Options” will get you started).

The aim here is to change the configuration of Apache to send an X-Frame-Options HTTP header saying “don’t embed this page in a frame”. This involves changing the Apache configuration file(s).

Firstly make sure that you are loading the Apache module to modify HTTP headers :-

LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so

This may be enabled by default on less minimalistic Linux distributions. Next for every virtual server add the following :-

Header always append X-Frame-Options DENY

The effective options (the other option may or may not be universally supported) for the word at the end are: DENY (don’t permit at all), and SAMEORIGIN (only permit from the same server).

The “X-Frame-Options” header is deprecated and an alternative is suggested :-

Header always append Content-Security-Policy: "frame-ancestors 'none'"

In some cases it may be necessary to try the following :-

Header always append Content-Security-Policy: "frame-ancestors 'self'"


This entry was posted in Technical and tagged , , . Bookmark the permalink.