I am writing a post after a long time, because a company who stands within Alexa Rank 100 asked me how to patch site from Click- Jacking Vulnerability. I am really enthusiast in Server Side flaws which results to affect Users. I almost never look for Click-Jacking in my Bug-Hunt (1% of my total Findings) but at rarest case i try to find one and take it to easy and effective Social Engineering. Many companies doesn’t consider it as Threat but it is a actual threat, because no one likes getting their site content getting spoofed by other layered code or by slicing some code over it. I am using WordPress Blog so they don’t currently allow me to do so but i have a new StartUp company of mine where i use the concept effectively which i would publically release also soon. But let’s talk about Click-jacking Protection Now.
So, many of Newbies Hackers are finding click-Jacking by showing Site inside Iframe and getting done with their business. But doesn’t know the actual mitigation and Patch. So first i suggest you to go over this the Mozilla Developer page about X-Frame-Options
This vulnerability mainly occurs due to weak / no setting of X-Frame-Options Header. Now, you can have three choices for that
- DENY : If you set the X-Frame-Options to DENY, then your page wouldn’t be embedded into a Iframe. This is where the patch for the infamous Bug of ClickJacking lies.
- SAMEORIGIN : If you set X-Frame-Options to SAMEORIGIN then The page can only be displayed in a frame on the same origin as the page itself, which means the site can only be framed by pages with the same origin as the framed page.
- ALLOW-FROM uri : The page can only be displayed in a frame on the specified origin.
Now, having the concept clears of the http Header X-Frame-Options, we can move to the Setup for the Patch.
To configure Apache to send the X-Frame-Options header for all pages, you need to add this to your site’s configuration, you can add that for WordPress sites too on Apache in you .htaccess:
Header always append X-Frame-Options DENY
For NGNIX in the server, you need to add this
add_header x-Frame-Options DENY;
Drupal has a custom way to deal with headers through the use of drupal_add_http_header. So you can add
To configure IIS to send X-Frame-Options Header, you need to send this (From Mozilla Web Dev)
<add name=”X-Frame-Options” value=”DENY” />
Many a Times Web Developers use this to protect some pages like Login Page/ Sign Up Page. Even WordPress Blog do that for their login page. You need to add this line in your PHP Code
These above demonstration was for DENY similarly, you can add to SAMEORIGIN by your choice. Only you need is to replace it. I hope, now it’s clear. So let’s see how it looks .
So, i hope you liked it and would now understand it Developers side. Because “Every Hacker is a Developer” . Shoot your queries here !
If you want to put this on your blog posts, mention me in Greets 🙂 Thank you !!