Sunday, October 18, 2020

How to implement the X-Frame-Options security header in your web application?

How to implement the X-Frame-Options security header in web applications?

The X-Frame-Options header has a sole purpose and that is to stop "clickjacking" attacks on your application. Clickjacking occurs when an attacker places an iFrame on their website but gives a URL on your domain as the source.

It gives your users the impression that they are using your site, where in reality they are clicking concealed links and buttons on the attacker's site. This can potentially lead to the user submitting authentication credentials to the attacker.

There is a simple header configuration that you should implement to prevent clickjacking attacks. It's called the X-Frame-Options header.

There are 3 correct implementations for the X-Frame-Options security header:

  • DENY which means your site can't contain frames;
  • SAMEORIGINwhich only allows frames from your site; or
  • ALLOW-FROM https://yoursite.com/ which only allows frames domains specified in this directive.

How to implement X-Frame-Options in Apache?

The correct implementation of this header in Apache is in your httpd.conf or equivalent file. 

Make sure that you backup your current file before implementing this header. Then add this line of code:

Header always set X-Frame-Options "SAMEORIGIN"

You will have to restart your Apache web server to ensure that your new X-Frame-Options header is served.

How to implement X-Frame-Options in nginx?

The correct implementation of this header in Nginx is in the server section of your nginx.conf or equivalent file:

add_header X-Frame-Options "SAMEORIGIN" always;

You will have to restart your nginx web server to ensure that your new X-Frame-Options header is served.

How to implement X-Frame-Options using .htaccess?

You may need to use this route if you don't have access to your web server configuration files, which may be the case if you use shared hosting services.

Add the following line to your .htaccess file to include the X-Frame-Options header:

Header append X-FRAME-OPTIONS "SAMEORIGIN"

You do not have to restart your server instance if you implement the X-Frame-Options header using your .htaccess file.

Do this after you have implemented the X-Frame-Options security header

There are at least seven security-related HTTP headers that you should implement for your website and for your web applications. 

Some of these are as simple to implement as this X-Frame-Options header. Others require a little more technical know-how. You can use our free HTTP header scanning tool understand:

  1. Which HTTP security headers your website and web app is missing; and
  2. How to implement each missing header.

It's free, so why not take this opportunity to fix your HTTP security headers?

The advanced next step in protecting your web application against hackers is to run regular vulnerability scans using an easy-to-use web application vulnerability scanning tool, like Cyber Chief.

Get your free trial of Cyber Chief now to see how it can help you grow your profits and keep attackers out. 



 
–>