You can set this header by adding a rule to your web server’s configuration file. There are two (2) options in setting this header. They are:
- X-Frame-Options SAMEORIGIN
- X-Frame-Options DENY
Note: Different web servers have different configuration files. Choose the one below that applies to your website.
Apache web server:
Using .htaccess configuration file.
If you’re on a shared hosting plan, you’ll only have access to create rules in the .htaccess configuration file. Follow these steps:
- Go to your website’s root folder, open the .htaccess file. Note: You should be able to do this using either an FTP application such as Filezilla or your hosting provider’s online File manager.
- Copy one (1) of the following lines into the .htaccess (after any existing rules) and save it. The header should now be set.
header set x-frame-options "SAMEORIGIN"
header set x-frame-options "DENY"
Using httpd.conf configuration file
If you’re on a dedicated hosting plan that gives you access to the web server’s root configuration file httpd.conf, then:
- Go to your website’s root folder, open the httpd.conf. Note: You should be able to do this using either an FTP application such as Filezilla or your hosting provider’s online File manager.
- Copy one (1) of the following lines into the httpd.conf file (after any existing rules) and save it. The header should now be set.
header always set x-frame-options "SAMEORIGIN"
header always set x-frame-options "DENY"
Microsoft IIS web server
<httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol>
NGINX web server
Copy one(1) of the following lines into server block configuration.
add_header x-frame-options "DENY" always;
add_header x-frame-options "SAMEORIGIN" always;
NOTE: Some CMSs such as WordPress offer plugins you can use to set header using a point and click type interface, in case you feel uncomfortable modifying the configuration file directly.
How to verify the X-Frame-Options header is set
There are two (2) common ways:
- Use an online service that displays HTTP Response headers such as:
- Use your browser’s built-in function to view HTTP Headers as below:
Using Google Chrome and Firefox browser:
- Open the web page
- Right-click anywhere on the page and select “Inspect element”
- Go to the “Network Tab”
- Refresh the page and select the page’s URL from the list of loaded resources
- Look under the panel for “Response Headers” to see if the x-frame-options is set as you configured.
Why implement the X-Frame-Options Header
When this header is set, each time your website provides a page to a user, it is included among a set of HTTP response headers and helps to protect users against Framing attacks.
The X-Frame-Options HTTP Header is used to control whether or not a website can be loaded in a frame (a web page loaded within a webpage), like when someone embeds a Youtube video within a web page and you load it there instead of going to Youtube itself.
If this is not set, an attacker can exploit this weakness by displaying the vulnerable website in a frame to a user and trick them into clicking on a link that triggers an action. This usually happens in very targeted scenarios such when an attacker knows a specific user is logged into a site and there is a button that changes a sensitive option such as “on/off” or “enable/disable” or on an online voting site where you click to vote. Users are typically tricked by an attacker by asking them to click on a link from the website loaded in a frame, using a malicious transparent window above the genuine window, so the user thinks they are clicking on the 2nd window, but they are really clicking on the first (which is invisible using CSS-Style Sheets or other tricks).
Links for additional information on this topic:
- PORTSWIGGER - Using Burp to find Clickjacking Vulnerabilities
- Mozilla Docs - X-Frame-Options
- Tenable Plugins - Missing 'X-Frame-Options' Header
- KEYCDN - X-Frame-Options - How to Combat Clickjacking
- infosecinstitute.com - Defending Against Web Attacks: X-Frame Options
Links for Penetration Testers: