Clickjacking is a malicious technique where an attacker tricks a user into clicking on a hidden element, potentially leading to unauthorized actions on a web application. It's a significant security concern that can affect various websites and applications.

Apache, being one of the most widely used web servers, is often targeted for such attacks. Fortunately, there are measures that can be implemented to prevent clickjacking on Apache.

By configuring specific HTTP headers, you can protect your Apache server and the applications running on it from clickjacking attacks.

Steps to prevent clickjacking on Apache

  1. Launch terminal.
  2. Enable headers module for Apache.
    $ sudo a2enmod headers # Ubuntu, Debian and SUSE variants
    [sudo] password for user:
    Enabling module headers.
    To activate the new configuration, you need to run:
      systemctl restart apache2
    • Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
    • CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
    Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp
    a2enmod support yes yes no no no no
    Modules to install none
    Module name n/a headers
    Loadmodule directive n/a LoadModule headers_module <module_locations>/
  3. Open the Apache configuration file using your preferred text editor.
    $ sudo vi /etc/apache2/sites-enabled/000-default.conf
  4. Locate the section where you want to apply the clickjacking protection, such as within a specific VirtualHost or Directory directive.
    <VirtualHost *:80>
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
  5. Add the following line to set the X-Frame-Options header to SAMEORIGIN or DENY.
    <VirtualHost *:80>
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html
            Header set X-Frame-Options "SAMEORIGIN"
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined

    This will ensure that the page can only be displayed in a frame on the same origin as the page itself. If you want to prevent any domain from framing the content, you can use DENY instead of SAMEORIGIN.

  6. Save the configuration file and exit the text editor.
  7. Restart the Apache service to apply the changes.
    $ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES
    $ sudo systemctl restart httpd # CentOS and Red Hat
  8. Test the configuration by inspecting the HTTP headers of your site using browser developer tools or command line tools.
    $ curl -I
    HTTP/1.1 200 OK
    Date: Sat, 02 Sep 2023 01:40:31 GMT
    Server: Apache/2.4.55 (Ubuntu)
    Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT
    ETag: "29af-603be4163c6a4"
    Accept-Ranges: bytes
    Content-Length: 10671
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    Content-Type: text/html

    Ensure that the “X-Frame-Options” header is set correctly in the response headers to confirm the protection is active.

Discuss the article:

Comment anonymously. Login not required.