Securing Apache X-Frame-Options

Issue

If specific origins are not listed or set to DENY, or SAMEORIGIN, a site can be vulnerable to embedded 3rd party code on embedded frames or embedded iframes.

Remediation Options

For servers running Apache web server, this can be addressed by adding the line below to the apache2.conf/httpd.conf file or to your .htaccess file if you need different options for each site and you have multiple sites on the same server.

Header always append X-Frame-Options SAMEORIGIN

Variations Allowed

Even if you still need content from multiple sites there are multiple ways to configure X-Frame-Options. Below is a table explaining the different options and I will provide some examples as well.

Setting Description
SAMEORIGIN Allows a page to be displayed in a frame or iframe as long as it’s from the same origin
DENY Disallows page to be displayed in a frame or iframe regardless of its origin
ALLOW-FROM Allows a specific white list of origins that pages in frames and iframes are permitted from, else all others are implicitly denied
 Header always append X-Frame-Options SAMEORIGIN
 Header always append X-Frame-Options DENY
 Header always append X-FRAME-OPTIONS ALLOW-FROM http://example.com

Final Notes

If X-Frame-Options are declared in a global location such as the apache configuration file a restart of the apache service will be required for this setting to take effect. If implementing in the .htaccess file this will not require a restart of apache.

Leave a Reply

Your email address will not be published. Required fields are marked *

3 × five =