Secure Apache from Clickjacking

In this post, I will explain an important Apache2 configuration, this configuration is used to stop clickjacking. I got to know about clickjacking when I was working with security checklist in AEM.

Q1. What is clickjacking?
Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link to another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both. If it is still not clear to you then I am attaching a video URL that will explain it in a much better way.

Q2. How to stop clickjacking in the AEM using Apache2 Server?
There is a header configuration named as X-Frame-Options, using this configuration, you can stop the clickjacking.

Q3. What is the syntax of this configuration?
Header set X-Frame-Options: “sameorigin”

Q4. Where do we find this configuration?
In Apache2.4 you have a security.conf file in conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.
  1. Uncomment this setting and restart your Apache2 server. 
  2. Copy and paste this setting in apche2.conf file, uncomment it, and restart your Apache server.

In my case, I copied and pasted this setting in apche2.conf file, uncommented it and restarted my Apche2 server.

Q5. Apache Server is throwing error when restarting after this configuration?
It may be possible that you will get an error  at the time of starting the Apache2 server, after adding this configuration, the reason is, this configuration requires module enabled, which is by default disabled. So enable module and your Apache server will start running successfully.

Q6. How to enable Headers.mod in Apache2 server?
For enabling this module you have a headers.load file present in mods-available directory in your Apache2 server. In my case, it is present at /etc/apche2/mods-available. Just do one thing, create a softlink in your mods-enabled folder. If you are an Ubuntu user execute this command-

Now you will see this soft link in your mods-enabled folder. Restart your Apache2 Server.

Q7. How to check whether it’s working or not?
After restarting your Apache2 server, just hit a non cached page via Apache2 Server. Open debugger and check the response header. You will  see X-Frame-Options header field, as shown below

If you get this option on your page it means your configuration is working.

Happy Coding..!!

Ankur Chauhan
Tech Lead.