How to Configure X-Frame-Options in Apache

The X-Frame-Options in used as HTTP response header. This prevents your site content embedded into other sites. Based on this value a browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.

There are three options available to set with X-Frame-Options:

• ‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
• ‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
• ‘DENY – This will not allow any website to embed your site pages in an iframe.

Setup X-Frame-Options with Apache Configuration

Edit Apache configuration file based on your operating system. The configuration file can be found:

Debian based systems: /etc/apache2/conf-enabled/security.conf
Redhat based systems: /etc/httpd/conf/httpd.conf

Now add one of the following entry to file:

• Allow for Same Origin (Default Action)

  Header set X-Frame-Options: "SAMEORIGIN"
  

• Allow from specific origin

  Header set X-Frame-Options: "ALLOW-FROM http://example.com/" 
  Header set X-Frame-Options: "ALLOW-FROM http://www.example.com/" 
  Header set X-Frame-Options: "ALLOW-FROM https://example.com/" 
  Header set X-Frame-Options: "ALLOW-FROM https://www.example.com/" 
  

• Deny to everyone

  Header set X-Frame-Options: "DENY"
  

Save the configuration file and restart Apache service to apply changes.

Setup X-Frame-Options with .htaccess

The websites running over shared hosting environment, You may not have privileges to modify Apache configuration. In this case, you can create .htaccess file on document root and append the same settings as above:

Header append X-Frame-Options: "SAMEORIGIN"