FAQ » Hosting
How to protect you website against clickjacking
The example below sends the X-Frame-Options response header with the value DENY, informing browsers not to display
the content of the web page in any frame.
This might not be the best setting for everyone. You should read about the other two possible values
the X-Frame-Options header field can have: SAMEORIGIN and ALLOW-FROM.
- https://tools.ietf.org/html/rfc7034#section-2.1.
Keep in mind that while you could send the X-Frame-Options header for all of your website's pages, this has the
potential downside that it forbids even non-malicious framing of your content (e.g.: when users visit your website using
a Google Image Search results page).
Nonetheless, you should ensure that you send the X-Frame-Options header for all pages that allow a user to make a
state changing operation (e.g: pages that contain one-click purchase links, checkout or bank-transfer confirmation
pages, pages that make permanent configuration changes, etc.).
Example
Add this to your .htaccess file for your Apache website
<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"
# `mod_headers` cannot match based on the content-type, however,
# the `X-Frame-Options` response header should be send only for
# HTML documents and not for the other resources.
<FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
Header unset X-Frame-Options
</FilesMatch>
</IfModule>
Also See
Sending the X-Frame-Options header can also protect your website against more than just clickjacking attacks:
- https://cure53.de/xfo-clickjacking.pdf.
- https://tools.ietf.org/html/rfc7034
- http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
- https://www.owasp.org/index.php/Clickjacking
Last updated: 2022-08-23