Secure Nginx from Clickjacking Attacks

What is Clickjacking?

Clickjacking is also known as “User Interface redress attack”.

The attacker uses a malicious technique of tricking a user to click a button or link, which reveals the confidential information, which in turn allows attacker to take control of the user’s computer or the web browser.

In Web browsers, It’s a browser security issue that is a vulnerability across different browsers and platforms.

How to prevent from Clickjacking?

X-frame-options is a HTTP response header also known as HTTP security header.

The X-frame-options in HTTP response headers can be used to prevent any clickjacking attacks.

It defines whether a browser should be allowed or not, To render a page in frames.

Setting UP X-Frame-Options:

There are 3 ways of setting up X-Frame-Options in a Web server.

SAME ORIGIN:

This directive allows the page to be rendered in the frame if the frame has same origin as the page.

ALLOW FROM URI:

This directive has now became obsolete and shouldn’t be used.using this option , The page can be rendered in that is originated form specific uri.

DENY:

This will completed deny the pages to be rendered in frame or iframe.

Configuring Nginx:

Let’s go ahead and implement X-Frame-Option in Nginx.To do so, Login to the server, Go the directory where Nginx is installed.In most cases it will be /etc/nginx/ directory.

Check out these articles:

How to Launch EC2 Instance from Console

How to Setup WordPress site with Nginx

How to configure Nginx

Take the backup of nginx.conf before modifying.

open nginx.conf file and then add the below parameter in the http block.

add_header X-Frame-Options SAMEORIGIN;

save Nginx configuration and restart the Nginx service.

Verifying above configuration:

To test the same, You can use web developer tools to see the response of HTTP headers or using the Online tools.

nginx
nginx

Here is the configuration for DENY & ALLOW FROM URI:

add_header X-Frame-Options "allow-from https://domain.com/";
add_header X-Frame-Options "DENY";

I hope this helps to secure your Nginx web server from Clickjacking attacks.

Please do check out my other useful resources.

How to Add Cross-Domain Resource sharing in S3 Bucket?

How to install WordPress with Nginx on Ubuntu

CREATE AMI FROM EXISTING EC2 INSTANCE

Amazon Web Services

How to Create and use AWS Document DB