X-Frame-Options is an HTTP response header that is used to allow or prevent a browser from opening the requested page in a frame or iframe. It is used to prevent clickjacking and unauthorized embedding of web pages from other sites. In this article, we will look at how to configure x-frame-options in Apache web server.
How to Configure X-Frame-Options in Apache
There are two ways to configure X-Frame-Options in Apache – via Apache configuration and via .htaccess file.
X-Frame-Options header can assume 3 values as follows:
- SAMEORIGIN – allow your website pages to be displayed in an iframe on the same website
- ALLOW-FROM uri – allow your websites pages to embedded in the specified domains/websites
- DENY – do not allow any website to embed your website’s pages in an iframe
Also read : How to Redirect 403 to 404 in Apache
1. Configure X-Frame-Options using Apache Configuration file
Open Apache configuration file using a text editor
## debian/ubuntu $ sudo vi /etc/apache2/conf-enabled/security.conf ## redhat/centos/fedora $ sudo vi /etc/httpd/conf/httpd.conf
Apache configuration file may also be present at any of the following location, depending on your installation
Add any of the following lines, depending on your requirement.
If you want to allow embedding for same origin, that is, default behavior, add
Header set X-Frame-Options: "SAMEORIGIN"
If you want to allow from specific domain (e.g. example.com), add
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/" Header set X-Frame-Options: "ALLOW-FROM https://example.com/" Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/"
Please note, each variation of the allowed domain(s) such as www, non-www, http, and https have to be specified separately.
If you want to deny embedding to all sites, including yours, add
Header set X-Frame-Options: "DENY"
Also read : How to Redirect Subfolder to Root in Apache
Configure X-frame-options with .htaccess
If you don’t have access to apache server configuration, open .htaccess file in a text editor
$ sudo vi /var/www/html/.htaccess
and add the following line to allow same origin
Header append X-Frame-Options: "SAMEORIGIN"
for allowing specific websites (e.g. example.com) add the following lines
Header append X-Frame-Options: ALLOW-FROM http://example.com/ Header append X-Frame-Options: ALLOW-FROM http://www.example.com/ Header append X-Frame-Options: ALLOW-FROM https://example.com/ Header append X-Frame-Options: ALLOW-FROM https://www.example.com/
if you want to deny from all sites, add the following line
Header append X-Frame-Options: "DENY"
Also read : How to Block User-Agent in Apache
2. Restart Apache Web Server
Restart Apache to apply changes.
$ sudo service apache2 restart
Now other sites will not be able to embed your website’s pages on their site and pass it as their own.