Clickjacking is well-known web application vulnerability where a transparent layer from an attacker’s page overlays the legitimate webpage (mainly through iFrames) thereby hijacking the user clicks and actions. Unknowingly, the user may end up performing actions they would never intended to, like password, credit card information theft and so on. Behind the scenes, a set of CSS styles, iframes, HTML components and Javascript code are used that closely resembles the branding of a website.
To address the issue and protect their brands, most popular websites sends the web pages with a special field settings in HTTP response header to not show the document in frames. Fortunately most modern browsers are implementing a form of X-Frame-Options support, so now is possible to add a tag to HTTP page header to prevent frame-based clickjacking.
If you are on an Apache virtual host, you can implement X-Frame-Options by adding to your .htaccess any of the following:
<IfModule mod_headers.c>
Header append X-FRAME-OPTIONS SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
</IfModule>
In case “HEADER” module is not enabled on Apache server, run below commands to make that works:
sudo a2enmod headers sudo service apache2 restart
Alternatively, on IIS based ASP.NET applications we can do that by setting custom Headers on web.config file as shown below or directly through HTTP Response Headers option in IIS settings:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="Content-Security-Policy" value="frame-ancestors 'self'" />
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
We can also set this option from server side code (in PHP/ASP.NET/JSP) programmatically by configuring Response Headers.
You can use browser DevTools (e.g., Chrome DevTools or Firefox Developer Tools) to view Response headers and ensure if settings have been enabled on the web page correctly.
OWASP Reference: https://owasp.org/www-project-top-ten/
