How to Configure X-Frame-Options in Apache

X-Frame-Options is an HTTP response header that is used to allow or prevent a browser from opening the requested page in a frame or iframe. It is used to prevent clickjacking and unauthorized embedding of web pages from other sites. In this article, we will look at how to configure x-frame-options in Apache web server.


How to Configure X-Frame-Options in Apache

There are two ways to configure X-Frame-Options in Apache – via Apache configuration and via .htaccess file.

X-Frame-Options header can assume 3 values as follows:

  • SAMEORIGIN – allow your website pages to be displayed in an iframe on the same website
  • ALLOW-FROM uri – allow your websites pages to embedded in the specified domains/websites
  • DENY – do not allow any website to embed your website’s pages in an iframe

Also read : How to Redirect 403 to 404 in Apache


1. Configure X-Frame-Options using Apache Configuration file

Open Apache configuration file using a text editor

## debian/ubuntu
$ sudo vi /etc/apache2/conf-enabled/security.conf
## redhat/centos/fedora
$ sudo vi /etc/httpd/conf/httpd.conf

Apache configuration file may also be present at any of the following location, depending on your installation

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf

Add any of the following lines, depending on your requirement.

If you want to allow embedding for same origin, that is, default behavior, add

Header set X-Frame-Options: "SAMEORIGIN"

If you want to allow from specific domain (e.g. example.com), add

Header set X-Frame-Options: "ALLOW-FROM http://example.com/"  
Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/"  
Header set X-Frame-Options: "ALLOW-FROM https://example.com/"  
Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/" 

Please note, each variation of the allowed domain(s) such as www, non-www, http, and https have to be specified separately.

If you want to deny embedding to all sites, including yours, add

Header set X-Frame-Options: "DENY"

Also read : How to Redirect Subfolder to Root in Apache


Configure X-frame-options with .htaccess

If you don’t have access to apache server configuration, open .htaccess file in a text editor

$ sudo vi /var/www/html/.htaccess

and add the following line to allow same origin

Header append X-Frame-Options: "SAMEORIGIN"

for allowing specific websites (e.g. example.com) add the following lines

Header append X-Frame-Options: ALLOW-FROM http://example.com/
Header append X-Frame-Options: ALLOW-FROM http://www.example.com/
Header append X-Frame-Options: ALLOW-FROM https://example.com/
Header append X-Frame-Options: ALLOW-FROM https://www.example.com/

if you want to deny from all sites, add the following line

Header append X-Frame-Options: "DENY"

Also read : How to Block User-Agent in Apache


2. Restart Apache Web Server

Restart Apache to apply changes.

$ sudo service apache2 restart

Now other sites will not be able to embed your website’s pages on their site and pass it as their own.


Leave a Reply

Your email address will not be published. Required fields are marked *