Clickjacking is a security threat where attackers trick users into clicking on hidden elements on a webpage. This can lead to unintended actions, like changing settings or submitting sensitive information. It is a common attack vector that can affect any website, making it crucial to secure web servers against it.

Apache can be vulnerable to clickjacking if not properly configured. Preventing this involves setting up the correct HTTP headers. These headers control how content is displayed in frames, ensuring that your website cannot be embedded within a frame on an unauthorized domain.

To protect your Apache server from clickjacking, specific configurations need to be applied to the server’s settings. This includes setting the X-Frame-Options header, which prevents your web pages from being embedded on external sites. Properly configuring these settings is essential to safeguard your web applications from such attacks.

Steps to prevent clickjacking in Apache

  1. Launch terminal.
  2. Enable the headers module in Apache.
    $ sudo a2enmod headers # Ubuntu, Debian and SUSE variants
    [sudo] password for user:
    Enabling module headers.
    To activate the new configuration, you need to run:
      systemctl restart apache2
    • Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
    • CentOS and Red Hat enables the module by default so requires no manual action to enable the modules.
    Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp
    a2enmod support yes yes no no no no
    Modules to install none
    Module name n/a headers
    Loadmodule directive n/a LoadModule headers_module <module_locations>/mod_headers.so
  3. Open the Apache configuration file using your preferred text editor.
    $ sudo vi /etc/apache2/sites-enabled/000-default.conf
  4. Locate the VirtualHost or Directory section where you want to apply clickjacking protection.
    <VirtualHost *:80>
            #ServerName www.example.com
     
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html
     
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>
  5. Add the following line to set the X-Frame-Options header to SAMEORIGIN or DENY.
    <VirtualHost *:80>
            #ServerName www.example.com
     
            ServerAdmin webmaster@localhost
            DocumentRoot /var/www/html
     
            Header set X-Frame-Options "SAMEORIGIN"
     
            ErrorLog ${APACHE_LOG_DIR}/error.log
            CustomLog ${APACHE_LOG_DIR}/access.log combined
    </VirtualHost>

    This will ensure that the page can only be displayed in a frame on the same origin as the page itself. If you want to prevent any domain from framing the content, you can use DENY instead of SAMEORIGIN.

  6. Save the configuration file and exit the text editor.
  7. Restart the Apache service to apply the changes.
    $ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES
    $ sudo systemctl restart httpd # CentOS and Red Hat
  8. Verify the configuration by checking the HTTP headers of your site.
    $ curl -I 127.0.0.1
    HTTP/1.1 200 OK
    Date: Sat, 02 Sep 2023 01:40:31 GMT
    Server: Apache/2.4.55 (Ubuntu)
    Last-Modified: Fri, 25 Aug 2023 12:12:15 GMT
    ETag: "29af-603be4163c6a4"
    Accept-Ranges: bytes
    Content-Length: 10671
    Vary: Accept-Encoding
    X-Frame-Options: SAMEORIGIN
    Content-Type: text/html

    Ensure that the “X-Frame-Options” header is set correctly in the response headers to confirm the protection is active.

Discuss the article:

Comment anonymously. Login not required.