X-Frame-Options is an HTTP response header that is used to allow or prevent a browser from opening the requested page in a frame or iframe. It is used to prevent clickjacking and unauthorized embedding of web pages from other sites. In this article, we will look at how to configure x-frame-options in Apache web server.
How to Configure X-Frame-Options in Apache
There are two ways to configure X-Frame-Options in Apache – via Apache configuration and via .htaccess file.
X-Frame-Options header can assume 3 values as follows:
- SAMEORIGIN – allow your website pages to be displayed in an iframe on the same website
- ALLOW-FROM uri – allow your websites pages to embedded in the specified domains/websites
- DENY – do not allow any website to embed your website’s pages in an iframe
Also read : How to Redirect 403 to 404 in Apache
1. Configure X-Frame-Options using Apache Configuration file
Open Apache configuration file using a text editor
## debian/ubuntu $ sudo vi /etc/apache2/conf-enabled/security.conf ## redhat/centos/fedora $ sudo vi /etc/httpd/conf/httpd.conf
Apache configuration file may also be present at any of the following location, depending on your installation
- /etc/apache2/httpd.conf
- /etc/apache2/apache2.conf
- /etc/httpd/httpd.conf
Add any of the following lines, depending on your requirement.
If you want to allow embedding for same origin, that is, default behavior, add
Header set X-Frame-Options: "SAMEORIGIN"
If you want to allow from specific domain (e.g. example.com), add
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/" Header set X-Frame-Options: "ALLOW-FROM https://example.com/" Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/"
Please note, each variation of the allowed domain(s) such as www, non-www, http, and https have to be specified separately.
If you want to deny embedding to all sites, including yours, add
Header set X-Frame-Options: "DENY"
Also read : How to Redirect Subfolder to Root in Apache
Configure X-frame-options with .htaccess
If you don’t have access to apache server configuration, open .htaccess file in a text editor
$ sudo vi /var/www/html/.htaccess
and add the following line to allow same origin
Header append X-Frame-Options: "SAMEORIGIN"
for allowing specific websites (e.g. example.com) add the following lines
Header append X-Frame-Options: ALLOW-FROM http://example.com/ Header append X-Frame-Options: ALLOW-FROM http://www.example.com/ Header append X-Frame-Options: ALLOW-FROM https://example.com/ Header append X-Frame-Options: ALLOW-FROM https://www.example.com/
if you want to deny from all sites, add the following line
Header append X-Frame-Options: "DENY"
Also read : How to Block User-Agent in Apache
2. Restart Apache Web Server
Restart Apache to apply changes.
$ sudo service apache2 restart
Now other sites will not be able to embed your website’s pages on their site and pass it as their own.