Clickjacking is one of the most insidious and overlooked security threats facing websites today. In this comprehensive guide, we‘ll take an in-depth look at clickjacking attacks, understand why they are so dangerous, and walk through exactly how to implement robust clickjacking defense in Apache servers using X-Frame-Options and other advanced techniques.
What Makes Clickjacking So Devious?
Clickjacking is what I consider a "silent killer" – it allows an attacker to essentially hide malicious actions under a veil of legitimacy. Here‘s a quick run-down:
- Attacker frames the victim‘s site in an invisible iframe on a malicious page
- The malicious page overlays transparent buttons on top of the invisible iframe
- User clicks what they think is a legit button but is actually clicking on the hidden iframe!
This allows the attacker to trick the victim into unwittingly performing actions like transferring money or sharing content. According to OWASP, clickjacking has been used successfully against major sites including Twitter and Gmail.
One reason clickjacking is so devastating is that it completely violates the trust relationship between a user and a website. Users expect that when they click something, it will perform the action they intend. Clickjacking exploits this expectation in an incredibly deceptive way.
As a website owner, you have an obligation to your users to protect them from threats like clickjacking that completely undermine their trust and autonomy on your site.
Clickjacking Statistics – A Growing Threat
Clickjacking attacks remain highly prevalent against websites. Let‘s look at some statistics that demonstrate the scale of this threat:
- According to Acunetix, over 20% of the Alexa Top 10,000 sites are vulnerable to clickjacking.
- Positive Technologies found clickjacking vulnerabilities on 38% of financial services sites they tested.
- 75% of sites in the education sector contain clickjacking flaws according to High-Tech Bridge.
- ImmuniWeb has detected clickjacking on 30% of e-commerce sites.
With clickjacking running rampant across industries like finance and e-commerce, it‘s clear website owners need to take action to lock down their web apps.
X-Frame-Options to the Rescue
Luckily, the X-Frame-Options HTTP header provides a simple and effective defense against clickjacking. By restricting which sites can frame pages, X-Frame-Options blocks untrusted third-party sites from encasing your pages in invisible iframes.
There are 3 possible values for this header:
- SAMEORIGIN – Allow framing on same domain only
- DENY – Block framing on all domains
- ALLOW-FROM uri – Allow framing only by specified domain
SAMEORIGIN is the most commonly used value as it allows framing only on your own site. The browser will block your pages from being framed on any external domains.
Now let‘s walk through exactly how to implement X-Frame-Options in Apache…
Step-by-Step Guide: Enabling X-Frame-Options in Apache
Login to your Apache server as an admin user
Backup your httpd.conf file in case anything goes wrong
Open httpd.conf in a text editor like vim or nano
Add the following line:
Header always set X-Frame-Options "SAMEORIGIN"
Restart the Apache service by running:
sudo systemctl restart apache2
- X-Frame-Options is now enabled!
Apache will now send the X-Frame-Options header with a value of SAMEORIGIN on all responses. Your pages will be protected from foreign framing.
Locking Down Framing with CSP frame-ancestors
X-Frame-Options is great, but we can take clickjacking defense even further with Content Security Policy.
The CSP frame-ancestors directive controls which sites can frame pages, similar to X-Frame-Options. When used together, they create an incredibly strong anti-fraud and anti-clickjacking shield.
Here is an example CSP frame-ancestors policy:
Content-Security-Policy: frame-ancestors ‘self‘
This allows framing only on pages from the same origin, blocking external sites from framing your content.
I highly recommend combining both X-Frame-Options SAMEORIGIN and a CSP frame-ancestors ‘self‘ policy to fully lock down framing permissions.
Testing Everything is Working
Verifying the headers is easy using Chrome DevTools or an online header checker tool.
To test with DevTools:
- Open your site in Chrome
- Open DevTools (Ctrl+Shift+I)
- Click the Network tab
- Reload the page
- Click the request and view the Response Headers
You should see both X-Frame-Options and Content-Security-Policy headers present.
Using online tools like Geekflare‘s header checker allows quick and easy validation that your headers are correctly set.
In Closing: Prioritizing Clickjacking Defense
Clickjacking remains one of the most dangerous and overlooked threats to web security. As site owners, we have an obligation to implement anti-clickjacking headers like X-Frame-Options and CSP to protect our users.
Following the steps in this guide, you can lock down framing permissions and eliminate the scourge of clickjacking from your web application. Your users will enjoy peace of mind knowing their experience and actions on your site are protected from deceptive UI redress attacks. So take action today to slam the door on clickjacking!