Clickjacking is a security threat where attackers trick users into clicking on hidden elements on a webpage. This can lead to unintended actions, like changing settings or submitting sensitive information. It is a common attack vector that can affect any website, making it crucial to secure web servers against it.
Apache can be vulnerable to clickjacking if not properly configured. Preventing this involves setting up the correct HTTP headers. These headers control how content is displayed in frames, ensuring that your website cannot be embedded within a frame on an unauthorized domain.
To protect your Apache server from clickjacking, specific configurations need to be applied to the server’s settings. This includes setting the X-Frame-Options header, which prevents your web pages from being embedded on external sites. Properly configuring these settings is essential to safeguard your web applications from such attacks.
Steps to prevent clickjacking in Apache
- Launch terminal.
- Enable the headers module in Apache.
$ sudo a2enmod headers # Ubuntu, Debian and SUSE variants [sudo] password for user: Enabling module headers. To activate the new configuration, you need to run: systemctl restart apache2
- Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
- CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2enmod support yes yes no no no no Modules to install none Module name n/a headers Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so - Open the Apache configuration file using your preferred text editor.
$ sudo vi /etc/apache2/sites-enabled/000-default.conf
- Locate the VirtualHost or Directory section where you want to apply clickjacking protection.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
- Add the following line to set the X-Frame-Options header to SAMEORIGIN or DENY.
<VirtualHost *:80> #ServerName www.example.com ServerAdmin webmaster@localhost DocumentRoot /var/www/html Header set X-Frame-Options "SAMEORIGIN" ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost>
This will ensure that the page can only be displayed in a frame on the same origin as the page itself. If you want to prevent any domain from framing the content, you can use DENY instead of SAMEORIGIN.
- Save the configuration file and exit the text editor.
- Restart the Apache service to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
- Verify the configuration by checking the HTTP headers of your site.
$ curl -I 127.0.0.1 HTTP/1.1 200 OK Date: Sat, 02 Sep 2023 01:40:31 GMT Server: Apache/2.4.55 (Ubuntu) Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT ETag: "29af-603be4163c6a4" Accept-Ranges: bytes Content-Length: 10671 Vary: Accept-Encoding X-Frame-Options: SAMEORIGIN Content-Type: text/html
Ensure that the “X-Frame-Options” header is set correctly in the response headers to confirm the protection is active.
Mohd Shakir Zakaria is an experienced cloud architect with a strong development and open-source advocacy background. He boasts multiple certifications in AWS, Red Hat, VMware, ITIL, and Linux, underscoring his expertise in cloud architecture and system administration.
Comment anonymously. Login not required.