Enable anti-clickjacking X-Frame-Options header

By | September 19, 2012
1 Comment

The Nikto scanner came up with this minor ‘hole’:

+ The anti-clickjacking X-Frame-Options header is not present

The rationale behind Anti-Clickjacking is described in http://tools.ietf.org/html/draft-ietf-websec-x-frame-options-00 and http://security.stackexchange.com/questions/13341/security-issues-using-iframes

To enable the header in Apache:

1) enable mod-headers module, if not enabled yet. Command:


a2enmod headers

2) add line “Header always append X-Frame-Options SAMEORIGIN” to /etc/apache2/httpd.conf
3) restart Apache

It is possible to enable the header selectively, see http://serverfault.com/questions/184912/how-can-i-add-x-frame-options-selectively-using-apache

One thought on “Enable anti-clickjacking X-Frame-Options header

  1. Muhammad Zubair

    how to allow browser to access page with x-frame-options set to deny

    Reply

Leave a Reply

Your email address will not be published.