· Hakan Çelik · Security · 1 dk okuma

Blocking a Clickjacking Attack

To configure Apache to send the X-Frame-Options header to all pages, add the following to your site's configuration:

Blocking a Clickjacking Attack

Apache Configuration

To configure Apache to send the X-Frame-Options header to all pages, add the following to your site’s configuration:

  • Header always set X-Frame-Options "sameorigin"
  • Header set X-Frame-Options "deny"
  • Header set X-Frame-Options "allow-from https://example.com/"

Nginx Configuration

To configure Nginx to send the X-Frame-Options header, add the following to your http, server, or location configuration:

add_header X-Frame-Options sameorigin

IIS Configuration

To configure IIS to send the X-Frame-Options header, add the following to your site’s Web.config file:

<system.webServer>
  ...

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="sameorigin" />
    </customHeaders>
  </httpProtocol>

  ...
</system.webServer>

HAProxy Configuration

To configure HAProxy to send the X-Frame-Options header, add the following to your front-end, listen, or back-end configuration:

  • rspadd X-Frame-Options:\ sameorigin

Alternatively, in newer versions:

  • http-response set-header X-Frame-Options sameorigin

For a related post on how to apply this protection using the Django framework, check out Django Clickjacking Protection and Control - XFrameOptionsMiddleware.

Share:
Back to Blog

Related Posts

View All Posts »
What is a Clickjacking Attack?

What is a Clickjacking Attack?

Security · 1 dk

This type of attack occurs when a malicious site tricks a user into clicking on a hidden element of another site that has been loaded into a hidden frame or iframe.

MCP: The REST API for AI Tools

MCP: The REST API for AI Tools

AI · 4 dk

Every AI integration used to be custom-built. MCP changes that: write a tool once as an MCP server, and every MCP-compatible AI application can use it.