Wednesday, July 23, 2014

X-Frame-Options Header for Red Hat Linux and CentOS Apache Web Server (httpd)


X-Frame-Options header restricts web page's ability to open in a Frame. Opening in a frame can result a Clickjacking attack which the authentic page is open in a frame a place layer exactly on top of a login section which can capture usernames and passwords.

According to the 'X-Frame-Options response header' reference in Mozilla Developer site, There are three possible values for X-Frame-Options:


  • DENY
    The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN
    The page can only be displayed in a frame on the same origin as the page itself.
  • ALLOW-FROM uri
    The page can only be displayed in a frame on the specified origin.

From above 3 options DENY should be used every possible situation unless you use old fashion frames.

Example HEAD request reply to X-Frame-Option implemented web server.

[kasun@localhost ~]$ curl -I http://192.168.2.125
HTTP/1.1 200 OK
Date: Tue, 22 Jul 2014 19:20:17 GMT
Server: Apache
X-Frame-Options: DENY
Connection: close
Content-Type: text/html; charset=UTF-8

[kasun@localhost ~]$

To implement this header in CentOS/Red Hat httpd (apache) run following command as root.

echo "Header always append X-Frame-Options DENY" > /etc/httpd/conf.d/x-frame-options-header.conf

Check the configuration by
httpd -t

Then reload httpd configuration.
service httpd reload

[root@server html]# echo "Header always append X-Frame-Options DENY" > /etc/httpd/conf.d/x-frame-options-header.conf
[root@server html]# httpd -t
Syntax OK
[root@server html]# service httpd reload
Reloading httpd: 
[root@center html]#

Image credits: http://blogs.technet.com

No comments: