Configure IIS and Apache Webserver to prevent Clickjacking

1 minute read

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

To prevent clickjacking, configure the below in your web server.

To configure IIS:

Open Internet Information Services (IIS) Manager.
In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect
Double-click the HTTP Response Headers icon in the feature list in the middle.
In the Actions pane on the right side, click Add.
In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field
Click OK to save your changes.
Restart the IIS

To configure Apache:

Add the following lines to the httpd.conf file:

 <IfModule !headers_module>
   # If the HEADERS module has NOT already been loaded, load it
   LoadModule headers_module modules/mod_headers.so
 </IfModule>

 Header always append X-Frame-Options SAMEORIGIN
 <IfModule !headers_module>
   # If the HEADERS module has NOT already been loaded, load it
   LoadModule headers_module modules/mod_headers.so
 </IfModule>

 Header always append X-Frame-Options SAMEORIGIN

Save the conf file
Restart the Apache

Share on

Twitter Facebook Google+ LinkedIn

Configure IIS and Apache Webserver to prevent Clickjacking

Share on

You May Also Enjoy

Ansible script to setup kubernetes cluster

WebSphere Application Server to API certificate based authentication

WebSphere Session Security Settings – HTTPOnlyCookies