Sometimes people may embed your web pages on their website without your permission. It is known as clickjacking whereby people pass off your web pages as their website. X-Frame-Options headers allows you to tell web browser not to allow embedding of your web pages in an frame. In this article, we will look at how to configure x-frame-options headers for NGINX.
How to Configure X-Frame-Options for NGINX
Here are the steps to configure x-frame-options for NGINX. Before we proceed, let us learn a little more x-frame-options header. It can basically assume 3 values. The user’s web browser will respond depending on the value you set for your website’s x-frame-options headers.
- SAMEORIGIN – allow your webpages to be displayed in an iframe on the same website
- ALLOW-FROM uri – allow your webpages to embedded in only specified domains/websites
- DENY – do not allow any website to embed your webpages in an iframe
Also read : How to Install Jenkins in Redhat Linux
Enable X-Frame-Options header
Open terminal and run the following command to open NGINX configuration file.
$ sudo vi /etc/nginx/nginx.conf
Add the following code to allow same origin
for allowing specific websites (e.g. mysite.com) add the following lines
add_header X-Frame-OptionsALLOW-FROM http://mysite.com/
add_header X-Frame-OptionsALLOW-FROM http://www.mysite.com/
add_header X-Frame-OptionsALLOW-FROM https://mysite.com/
add_header X-Frame-OptionsALLOW-FROM https://www.mysite.com/
if you want to deny from all sites, add the following line
Header append X-Frame-Options: "DENY"
Also read : How to Install PgAdmin 4 in Ubuntu
Restart NGINX Server
Restart NGINX server to apply changes
$ sudo service nginx restart OR $ sudo systemctl restart nginx
That’s it. Now other websites will not be able to embed your website without your knowledge or permission.
Also read : How to Serve Static Files in NodeJS using NGINX