Protect yourself from clickjacking hack

Clickjacking is a browser security issue and is a vulnerability across a variety of browsers and platforms. A clickjack takes the form of embedded code or a script that can execute without the user's knowledge, such as clicking on a button that appears to perform another function. The hacker installs an invisible layer over the existing site, hijacking the user's clicks. The suspicious-less user will perform this way actions they never intended to, from apparently inoffensive ones, as following someone on Twitter, to really nasty things, like password, credit card information theft, and anything else you might (not want to) do on a webpage.

There are a series of counter-measures, from browser plugins to server side protection tools. Here is one you can perform (on most hosts). Fortunately most modern browsers are implementing a form of X-Frame-Options support, so now is possible to add a tag to HTTP page header to  prevent frame-based clickjacking. The modern browsers detect sites that insert the tag and  compatible browsers will raise a new error screen showing that the site owner does not allow their content to be uses in frames, with option to open the content in a new window. The solution is implemented in IE 8+, Safari, Firefox, Chrome, and Opera.

The settings

There are three settings for X-Frame-Options:

  1. SAMEORIGIN: This setting will allow page to be displayed in frame on the same origin as the page itself.
  2. DENY: This setting will prevent a page displaying in a frame or iframe.
  3. ALLOW-FROM uri: This setting will allow page to be displayed only on the specified origin.

The implementation

The ideal case - you can edit Apache's main configuration file (httdp.conf) - this is the line to be added:

Header always append X-Frame-Options SAMEORIGIN

Less ideal case - you are on shared hosting. Your chance is to add the necessary code to your .htaccess file:

Header append X-FRAME-OPTIONS "SAMEORIGIN"

Testing the result

You can use any web developer tool to view Response headers and ensure you see the following line in the output:

X-Frame-Options: SAMEORIGIN