How to secure against clickjacking in Apache
Clickjacking is a malicious technique where an attacker tricks a user into clicking on a hidden element, potentially leading to unauthorized actions on a web application. It's a significant security concern that can affect various websites and applications.
Apache, being one of the most widely used web servers, is often targeted for such attacks. Fortunately, there are measures that can be implemented to prevent clickjacking on Apache.
By configuring specific HTTP headers, you can protect your Apache server and the applications running on it from clickjacking attacks.
Steps to prevent clickjacking on Apache
- Launch terminal.
- Enable headers module for Apache.
$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants [sudo] password for user: Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
- Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
- CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2enmod support yes yes no no no no Modules to install none Module name n/a headers Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so - Open the Apache configuration file using your preferred text editor.
$ sudo vi /etc/apache2/sites-enabled/000-default.conf
- Locate the section where you want to apply the clickjacking protection, such as within a specific VirtualHost or Directory directive.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
- Add the following line to set the X-Frame-Options header to SAMEORIGIN or DENY.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html Header set X-Frame-Options "SAMEORIGIN" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
This will ensure that the page can only be displayed in a frame on the same origin as the page itself. If you want to prevent any domain from framing the content, you can use DENY instead of SAMEORIGIN.
- Save the configuration file and exit the text editor.
- Restart the Apache service to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
- Test the configuration by inspecting the HTTP headers of your site using browser developer tools or command line tools.
$ curl -I 127.0.0.1 HTTP/1.1 200 OK Date: Sat, 02 Sep 2023 01:40:31 GMT Server: Apache/2.4.55 (Ubuntu) Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT ETag: "29af-603be4163c6a4" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Content-Type: text/html
Ensure that the “X-Frame-Options” header is set correctly in the response headers to confirm the protection is active.
Mohd Shakir Zakaria is a skilled cloud architect with a background in development, entrepreneurship, and open-source advocacy. As the founder of Simplified Guide, he helps others understand the complexities of computing, making tech concepts accessible to all.
Comment anonymously. Login not required.