Clickjacking is a malicious technique where an attacker tricks a user into clicking on a hidden element, potentially leading to unauthorized actions on a web application. It's a significant security concern that can affect various websites and applications.
Apache, being one of the most widely used web servers, is often targeted for such attacks. Fortunately, there are measures that can be implemented to prevent clickjacking on Apache.
By configuring specific HTTP headers, you can protect your Apache server and the applications running on it from clickjacking attacks.
$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants [sudo] password for user: Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
Options | Debian, Ubuntu | openSUSE and SLES | Fedora Core, CentOS, RHEL | macOS | homebrew | xampp |
---|---|---|---|---|---|---|
a2enmod support | yes | yes | no | no | no | no |
Modules to install | none | |||||
Module name | n/a | headers | ||||
Loadmodule directive | n/a | LoadModule headers_module <module_locations>/mod_headers.so |
$ sudo vi /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html Header set X-Frame-Options "SAMEORIGIN" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
This will ensure that the page can only be displayed in a frame on the same origin as the page itself. If you want to prevent any domain from framing the content, you can use DENY instead of SAMEORIGIN.
$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
$ curl -I 127.0.0.1 HTTP/1.1 200 OK Date: Sat, 02 Sep 2023 01:40:31 GMT Server: Apache/2.4.55 (Ubuntu) Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT ETag: "29af-603be4163c6a4" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Content-Type: text/html
Ensure that the “X-Frame-Options” header is set correctly in the response headers to confirm the protection is active.
Comment anonymously. Login not required.