How to Configure X-Frame-Options for NGINX

Sometimes people may embed your web pages on their website without your permission. It is known as clickjacking whereby people pass off your web pages as their website. X-Frame-Options headers allows you to tell web browser not to allow embedding of your web pages in an frame. In this article, we will look at how to configure x-frame-options headers for NGINX.


How to Configure X-Frame-Options for NGINX

Here are the steps to configure x-frame-options for NGINX. Before we proceed, let us learn a little more x-frame-options header. It can basically assume 3 values. The user’s web browser will respond depending on the value you set for your website’s x-frame-options headers.

  • SAMEORIGIN – allow your webpages to be displayed in an iframe on the same website
  • ALLOW-FROM uri – allow your webpages to embedded in only specified domains/websites
  • DENY – do not allow any website to embed your webpages in an iframe

Also read : How to Install Jenkins in Redhat Linux


Enable X-Frame-Options header

Open terminal and run the following command to open NGINX configuration file.

$ sudo vi /etc/nginx/nginx.conf

Add the following code to allow same origin

add_header X-Frame-Options "SAMEORIGIN"

for allowing specific websites (e.g. mysite.com) add the following lines

add_header X-Frame-Options ALLOW-FROM http://mysite.com/
add_header X-Frame-Options ALLOW-FROM http://www.mysite.com/
add_header X-Frame-Options ALLOW-FROM https://mysite.com/
add_header X-Frame-Options ALLOW-FROM https://www.mysite.com/

if you want to deny from all sites, add the following line

Header append X-Frame-Options: "DENY"

Also read : How to Install PgAdmin 4 in Ubuntu


Restart NGINX Server

Restart NGINX server to apply changes

$ sudo service nginx restart
OR 
$ sudo systemctl restart nginx

That’s it. Now other websites will not be able to embed your website without your knowledge or permission.

Also read : How to Serve Static Files in NodeJS using NGINX