How can I set X-Frame-Options in my PHP code so that it will be there in all the web pages from my server. Basically, I am trying to avoid iframe loading of my web app.
Use below in your php file which outputs response to client side.
header("X-Frame-Options: DENY");
DENY will fully block. You may try SAMEORIGIN option also.
header("X-Frame-Options: SAMEORIGIN");
If you are using apache web server, you can directly set in httpd.conf also.
<Directory />
...
Header always set X-Frame-Options "SAMEORIGIN"
</Directory>
The X-Frame-Options prevents your site content embedded into other sites. Browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.
There are three options available to set with X-Frame-Options:
‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
‘DENY – This will not allow any website to embed your site pages in an iframe.
We have two way to Setup X-Frame-Options
1. with Apache Configuration
2. with .htaccess
with Apache configuration:
Debian based systems: /etc/apache2/conf-enabled/security.conf
Redhat based systems: /etc/httpd/conf/httpd.conf
Header set X-Frame-Options: "SAMEORIGIN" #Allow for Same Origin (Default Action)
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" #Allow from specific origin
Header set X-Frame-Options: "DENY" #Deny to everyone
with .htaccess
Header append X-Frame-Options: "SAMEORIGIN"
Related
How can I add the following security headers to my website?
X-Frame-Options - Protects against Clickjacking attacks
X-XSS-Protection - Mitigates Cross-Site Scripting (XSS) attacks
X-Content-Type-Options - Prevents possible phishing or XSS attacks
Two ways you can add these headers:
Apache Conf or .htaccess File
<IfModule mod_headers.c>
Header set X-Frame-Options "DENY"
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options "nosniff"
</IfModule>
The Apache/htaccess approach is most likely the preferred way. If you add it to your configuration file, which may be in your httpd.conf or it could be in a vhost configuration file (really depends on how the server is setup), you would place it within a <Directory> element. To use .htaccess the configuration for the site must have AllowOverride All. While it's pretty standard, you must have the mod_headers library installed in Apache as well.
PHP
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
With the PHP approach, you will need to write this to every response, so if you do not have a bootstrap that can do this, I'd recommend leveraging either your apache configuration file or the .htaccess file.
I found 3 websites that are iframing my website. At first I thought they just copied my theme and are scraping my content. But when I edit my homepage their homepage also changes too automatically.
How can I prevent them from iframing my website. They are using up my server resources and ranking on google also.
What I did so far. (to some extend hindered them from showing my website)
I enabled "Under Attack Mode" on cloudflare which is showing "Checking your browser" repeatedly (https://imgur.com/a/6TpyLyU).
Although there are some iframe buster scripts, you'll be better off adding the X-Frame-Options header to your responses:
X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://example.com/
When the browser see's these headers, it will stop from loading your website if it was requested from an iframe.
Update
After better explanation of the problem, this problem can be solved by adding a javascript redirect.
if (window.top.location.href.indexOf("original-website.com") !== -1){
window.location.href = "http://original-website.com"
}
I have a multimedia site contains thousands of videos. I had to prevent "clickjacking" due to some problems I occured.
The thing is when I include the following header to my httpd.config file, users cannot share my videos through social networks or applications.
Header always append X-Frame-Options SAMEORIGIN
I host the embed videos through https://example.org/embed/VIDEO-ID
Is it possible to disable X-Frame-Options SAMEORIGIN just for embed videos? If so, could you please explain it to me?
What I have tried so far;
I tried to remove header in /embed/ with PHP
I tried to unset the header in /embed/
On httpd I've done the following;
header always append X-Frame-Options SAMEORIGIN
On /embed/ page I am doing the following;
header_remove("X-Frame-Options");
header('X-Frame-Options: GOFORIT');
We proxy images as licensed content and need to add max-age headers to the proxied images. Attempted modifying .htaccess, but it didn't work and suspect this is due to the proxied image folder not being an actual directory on the server.
First, the proxy is set up in apache2.conf:
# Image Proxy
ProxyPass /photo http://photo.licensor.com
ProxyPassReverse /photo http://photo.licensor.com
Made several attempts to modify .htaccess under the site's public_html directory. It appears that the condition to modify the max-age header for proxied images is never recognized by Apache since /photo is not a real directory.
I'd really like to target ONLY the proxied images using the /photo directory that isn't real.
You can't use a <location> container in an htaccess file. It's probably best to put this in your apache server config file next to your ProxyPass settings:
<LocationMatch "/photo">
# Image Proxy
ProxyPass http://photo.licensor.com
ProxyPassReverse http://photo.licensor.com
Header unset Etag
Header set Cache-Control "max-age=86400, public"
Header unset Expires
</LocationMatch>
I'm using a security scanning tool to check for vulnerabilities of my web application.
One of the results was a low warning about X-Content-Type-Options header being missing.
After some digging around, I found this post on setting apache to emit nosniff headers and I put this code in to httpd.conf file;
<IfModule mod_headers.c>
Header unset ETag
Header set X-Frame-Options: deny
Header set X-XSS-Protection: "1; mode=block"
Header set X-Content-Type-Options: nosniff
Header set X-WebKit-CSP: "default-src 'self'"
Header set X-Permitted-Cross-Domain-Policies: "master-only"
</IfModule>
And it worked! But then, my security scanning tool discovered that the 404 Not Found page on my web server was still giving me this warning. I'm guessing that the 404 error page is set to ignore the above rule somehow..
Can someone explain to me how to change this code or suggest an alternative so that error pages are included?
Could someone also maybe explain what the code above is doing? I don't actually know what IfModule or mod_headers.c actually means. Maybe that's why I'm having trouble in the first place.