Clickjacking is a threat that manipulates HTTP frames to deceive users into clicking hidden elements or performing unintended actions. Attackers overlay invisible layers on legitimate pages, causing unsuspecting users to reveal credentials or alter sensitive settings. This vulnerability can affect any site that allows content to be framed by an external domain.
Misconfigured Apache servers are particularly susceptible, since any web server that fails to limit framing can be hijacked. The X-Frame-Options header offers robust control over how a page is embedded, making it a recommended safeguard against clickjacking. This approach ensures that external domains cannot load your pages in a malicious frame.
Properly setting X-Frame-Options denies or limits unauthorized framing and mitigates hidden overlay attacks. Restricting frames to the same domain or disallowing them entirely helps maintain a secure environment. The image below shows an example HTTP response header indicating correct configuration.
Steps to prevent clickjacking in Apache
- Launch terminal.
- Enable the headers module in Apache.
$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants [sudo] password for user: Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
- Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
- CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2enmod support yes yes no no no no Modules to install none Module name n/a headers Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so - Open the Apache configuration file using your preferred text editor.
$ sudo vi /etc/apache2/sites-enabled/000-default.conf
- Locate the VirtualHost or Directory section where you want to apply clickjacking protection.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
- Add the following line to set the X-Frame-Options header to SAMEORIGIN or DENY.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html Header set X-Frame-Options "SAMEORIGIN" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
This will ensure that the page can only be displayed in a frame on the same origin as the page itself. If you want to prevent any domain from framing the content, you can use DENY instead of SAMEORIGIN.
- Save the configuration file and exit the text editor.
- Restart the Apache service to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
- Verify the configuration by checking the HTTP headers of your site.
$ curl -I 127.0.0.1 HTTP/1.1 200 OK Date: Sat, 02 Sep 2023 01:40:31 GMT Server: Apache/2.4.55 (Ubuntu) Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT ETag: "29af-603be4163c6a4" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Content-Type: text/html
Ensure that the “X-Frame-Options” header is set correctly in the response headers to confirm the protection is active.
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.