Clickjacking is well known web
application vulnerabilities. For example, it was used as an attack on Twitter.
To defense Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS to avoid your website
being hacked from Clickjacking.
Using X-Frame-Options
The X-Frame-Options HTTP response header can be
used to indicate whether or not a browser should be allowed to render a page in
a <frame> or <iframe>. Sites can
use this to avoid clickjacking attacks, by ensuring that their content is not embedded
into other sites.
DENY
The page cannot be displayed in a frame, regardless of the site
attempting to do so.
SAMEORIGIN
The page can only be displayed in a frame on the same origin as
the page itself.
ALLOW-FROM uri
The page can only be displayed in a frame on the specified
origin.
In other words, if you
specify DENY, not only will
attempts to load the page in a frame fail when loaded from other sites,
attempts to do so will fail when loaded from the same site. On the other hand,
if you specify SAMEORIGIN, you can still use
the page in a frame as long as the site including it in a frame is the same as
the one serving the page.
Configuring Apache
To configure Apache to
send the X-Frame-Options header for all pages, add this to your site's
configuration in /etc/apache2/httpd.conf (ubuntu):
Header
always append X-Frame-Options SAMEORIGIN
Then enable HEADERS modules
# sudo a2enmod headers
Check HTTP Response
