To address the issue and protect their brands, most popular websites sends the web pages with a special field settings in HTTP response header to not show the document in frames. Fortunately most modern browsers are implementing a form of X-Frame-Options support, so now is possible to add a tag to HTTP page header to prevent frame-based clickjacking.
If you are on an Apache virtual host, you can implement X-Frame-Options by adding to your .htaccess any of the following:
<IfModule mod_headers.c> Header append X-FRAME-OPTIONS SAMEORIGIN </IfModule>
In case “HEADER” module is not enabled on Apache server, run below commands to make that works:
sudo a2enmod headers sudo service apache2 restart
Alternatively, on IIS based ASP.NET applications we can do that by setting custom Headers on web.config file as shown below or directly through HTTP Response Headers option in IIS settings:
<system.webServer> ... <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> ... </system.webServer>
We can also set this option from server side code (in PHP/ASP.NET/JSP) programmatically by configuring Response Headers.
You can use any web developer tool like Firebug to view Response headers and ensure if settings have been enabled on the web page correctly.