The X-Frame-Options header has a sole purpose and that is to stop "clickjacking" attacks on your application. Clickjacking occurs when an attacker places an iFrame on their website but gives a URL on your domain as the source.
It gives your users the impression that they are using your site, where in reality they are clicking concealed links and buttons on the attacker's site. This can potentially lead to the user submitting authentication credentials to the attacker.
There is a simple header configuration that you should implement to prevent clickjacking attacks. It's called the X-Frame-Options header.
There are 3 correct implementations for the X-Frame-Options security header:
- DENY which means your site can't contain frames;
- SAMEORIGINwhich only allows frames from your site; or
- ALLOW-FROM https://yoursite.com/ which only allows frames domains specified in this directive.
How to implement X-Frame-Options in Apache?
The correct implementation of this header in Apache is in your httpd.conf or equivalent file.
Make sure that you backup your current file before implementing this header. Then add this line of code:
Header always set X-Frame-Options "SAMEORIGIN"
You will have to restart your Apache web server to ensure that your new X-Frame-Options header is served.
How to implement X-Frame-Options in nginx?
The correct implementation of this header in Nginx is in the server section of your nginx.conf or equivalent file:
add_header X-Frame-Options "SAMEORIGIN" always;
You will have to restart your nginx web server to ensure that your new X-Frame-Options header is served.
How to implement X-Frame-Options using .htaccess?
You may need to use this route if you don't have access to your web server configuration files, which may be the case if you use shared hosting services.
Add the following line to your .htaccess file to include the X-Frame-Options header:
Header append X-FRAME-OPTIONS "SAMEORIGIN"
You do not have to restart your server instance if you implement the X-Frame-Options header using your .htaccess file.
Can you have multiple declarations in the X-Frame-Options security header?
Technically, you can have multiple declarations in the X-Frame-Options header. However, the last declaration is the one that will be used. Just make sure you are using the same value, i.e. DENY , ALLOW-FROM , SAMEORIGIN.
But doing this opens you up to the vagaries of how different browsers interpret your multiple declarations. Some browsers, on seeing multiple declarations, will just ignore the header altoghether, instead of applying the last declaration.
For this reason, we recommend that you only have one declaration for your X-Frame-Options security header.
Do this after you have implemented the X-Frame-Options security header
There are at least seven security-related HTTP headers that you should implement for your website and for your web applications.
Some of these are as simple to implement as this X-Frame-Options header. Others require a little more technical know-how. You can use our free HTTP header scanning tool understand:
- Which HTTP security headers your website and web app is missing; and
- How to implement each missing header.
It's free, so why not take this opportunity to test and fix your HTTP security headers?
The advanced next step in protecting your web application against hackers is to run regular vulnerability scans with a user-friendly web application vulnerability scanning tool, like Cyber Chief.
Start your free trial of Cyber Chief now to see not only how it can help to keep attackers out, but also to see how you can ensure that you ship every release with zero known vulnerabilities.
Or, if you prefer to have an expert-vetted vulnerability assessment performed on your web application you can order the vulnerability assessment from here. Each vulnerability assessment report comes with:
- Results from scanning your application for the presence of OWASP Top 10 + SANS CWE 25 + thousands of other vulnerabilities.
- A detailed description of the vulnerabilities found.
- A risk level for each vulnerability, so you know which ones to fix first.
- Best-practice fixes for each vulnerability, including code snippets where relevant.
- One-month free access to our Cyber Chief automated penetration testing & vulnerability management tool.
- Email support from our application security experts.
Which option do you prefer?