configure x-frame-options in apache

How to Configure X-Frame-Options in Apache

Team Fedingo

X-Frame-Options is an HTTP response header that is used to allow or prevent a browser from opening the requested page in a frame or iframe. It is used to prevent clickjacking and unauthorized embedding of web pages from other sites. In this article, we will look at how to configure x-frame-options in Apache web server.


How to Configure X-Frame-Options in Apache

There are two ways to configure X-Frame-Options in Apache – via Apache configuration and via .htaccess file.

X-Frame-Options header can assume 3 values as follows:

  • SAMEORIGIN – allow your website pages to be displayed in an iframe on the same website
  • ALLOW-FROM uri – allow your websites pages to embedded in the specified domains/websites
  • DENY – do not allow any website to embed your website’s pages in an iframe

Also read : How to Redirect 403 to 404 in Apache


1. Configure X-Frame-Options using Apache Configuration file

Open Apache configuration file using a text editor

## debian/ubuntu
$ sudo vi /etc/apache2/conf-enabled/security.conf
## redhat/centos/fedora
$ sudo vi /etc/httpd/conf/httpd.conf

Apache configuration file may also be present at any of the following location, depending on your installation

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf

Add any of the following lines, depending on your requirement.

If you want to allow embedding for same origin, that is, default behavior, add

Header set X-Frame-Options: "SAMEORIGIN"

If you want to allow from specific domain (e.g. example.com), add

Header set X-Frame-Options: "ALLOW-FROM http://example.com/"  
Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/"  
Header set X-Frame-Options: "ALLOW-FROM https://example.com/"  
Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/"

Please note, each variation of the allowed domain(s) such as www, non-www, http, and https have to be specified separately.

If you want to deny embedding to all sites, including yours, add

Header set X-Frame-Options: "DENY"

Also read : How to Redirect Subfolder to Root in Apache


Configure X-frame-options with .htaccess

If you don’t have access to apache server configuration, open .htaccess file in a text editor

$ sudo vi /var/www/html/.htaccess

and add the following line to allow same origin

Header append X-Frame-Options: "SAMEORIGIN"

for allowing specific websites (e.g. example.com) add the following lines

Header append X-Frame-Options: ALLOW-FROM http://example.com/
Header append X-Frame-Options: ALLOW-FROM http://www.example.com/
Header append X-Frame-Options: ALLOW-FROM https://example.com/
Header append X-Frame-Options: ALLOW-FROM https://www.example.com/

if you want to deny from all sites, add the following line

Header append X-Frame-Options: "DENY"

Also read : How to Block User-Agent in Apache


2. Restart Apache Web Server

Restart Apache to apply changes.

$ sudo service apache2 restart

Now other sites will not be able to embed your website’s pages on their site and pass it as their own.


Related posts:

How to Redirect IP to Domain URL using .htaccess in Apache
Apache Configure Multiple Virtual Hosts
How to Disable HTTP Methods in Apache
How to Harden Apache Web Server on Centos 7
How to Disable Configuration File in Apache
How to Remove WWW from URL in Apache
How to Change Apache User
Limit Bandwidth & Connections in Apache

Leave a Reply

Your email address will not be published. Required fields are marked *