Clickjacking is well-known web application vulnerability where a transparent layer of attacker’s page overlays the primary webpage (mainly through iFrames) thereby hijacking the user clicks and actions. Unknowingly, the user may end up performing actions they would never intended to, like password, credit card information theft and so on. Behind the scenes, a set of CSS styles, iframes, HTML components and Javascript code are used that closely resembles the branding of a website.

To address the issue and protect their brands, most popular websites sends the web pages with a special field settings in HTTP response header to not show the document in frames. Fortunately most modern browsers are implementing a form of X-Frame-Options support, so now is possible to add a tag to HTTP page header to  prevent frame-based clickjacking.

If you are on an Apache virtual host, you can implement X-Frame-Options by adding to your .htaccess any of the following:

<IfModule mod_headers.c>
    Header append X-FRAME-OPTIONS SAMEORIGIN
</IfModule>

In case “HEADER” module is not enabled on Apache server, run below commands to make that works:

sudo a2enmod headers

sudo service apache2 restart

Alternatively, on IIS based ASP.NET applications we can do that by setting custom Headers on web.config file as shown below or directly through HTTP Response Headers option in IIS settings:

<system.webServer>
  ...

  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>

  ...
</system.webServer>

We can also set this option from server side code (in PHP/ASP.NET/JSP) programmatically by configuring Response Headers.

You can use any web developer tool like Firebug to view Response headers and ensure if settings have been enabled on the web page correctly.