X-Frame-Options HTTP header is used to allow or prevent web browsers from opening a web page in a frame or iframe. This is used to prevent clickjacking or unauthorized embedding of web pages on another website. Every web server allows you to configure X-Frame-Options. In this article, we will learn how to configure X-Frame-Options in Apache server.
How to Configure X-Frame-Options in Apache
You can configure X-Frame-Options in two ways – via Apache server configuration or via .htaccess file. Either way, X-Frame-Options can assume only one of the following 3 values.
- SAMEORIGIN – allow web pages to be displayed in an iframe on same website domain
- ALLOW-FROM uri – allow web pages to embedded in the other domains/websites
- DENY – do not allow any website to embed your web pages in iframe
1. Configure X-Frame-Options in Apache Configuration File
First we need to open Apache server configuration file in text editor.
## debian/ubuntu $ sudo vi /etc/apache2/apache2.conf ## redhat/centos/fedora $ sudo vi /etc/httpd/conf/httpd.conf
You may also find Apache configuration file at other locations, depending on your installation, such as,
- /etc/apache2/httpd.conf
- /etc/apache2/conf-enabled/security.conf
- /etc/httpd/httpd.conf
If you want to allow embedding on the same origin, then add the following directive.
Header set X-Frame-Options: "SAMEORIGIN"
If you want to allow your web pages to be displayed on another domain such as example.com, use the following directives.
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/" Header set X-Frame-Options: "ALLOW-FROM https://example.com/" Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/"
Please note, each variation of allowed domain such as http, https, www, non-www URL needs to be specified separately.
If you want to deny embedded web pages to all websites including yours, mention the following.
Header set X-Frame-Options: "DENY"
Configure X-Frame-Options using .htaccess
Most of the times, website administrators do not have access to Apache server configuration file. In such cases, you can configure X-Frame-Options using .htaccess file. If you have not enabled .htaccess (mod_rewrite) then use these steps to do so. Open it in a text editor.
$ sudo vi /var/www/html/.htaccess
add the following line to allow embedding from same origin/website.
Header append X-Frame-Options: "SAMEORIGIN"
for allowing specific websites (e.g. example.com) add the following lines.
Header append X-Frame-Options: ALLOW-FROM http://example.com/ Header append X-Frame-Options: ALLOW-FROM http://www.example.com/ Header append X-Frame-Options: ALLOW-FROM https://example.com/ Header append X-Frame-Options: ALLOW-FROM https://www.example.com/
If you want to deny embedding on all sites, add the following line.
Header append X-Frame-Options: "DENY"
2. Restart Apache Web Server
Restart Apache web server to apply changes.
$ sudo service apache2 restart
Now other sites will not be able to embed your web pages and show it as their own content. It will prevent unauthorized embedding of your content and
Also read:
How to Change Use Password in Linux
How to Find Top CPU Consuming Processes in Linux
How to Install Fail2ban in Ubuntu
How to Open Port in Linux
How to Create Remote Git Repository
Related posts:
Sreeram Sreenivasan loves coding & writing tech articles. He has helped many Fortune 500 companies in the areas of BI & software development. He has more than 10 years of experience in web development, Python, Linux, SQL and database programming.