What is Clickjacking?
Clickjacking is also known as “User Interface redress attack”.
The attacker uses a malicious technique of tricking a user to click a button or link, which reveals the confidential information, which in turn allows attacker to take control of the user’s computer or the web browser.
In Web browsers, It’s a browser security issue that is a vulnerability across different browsers and platforms.
How to prevent from Clickjacking?
X-frame-options is a HTTP response header also known as HTTP security header.
The X-frame-options in HTTP response headers can be used to prevent any clickjacking attacks.
It defines whether a browser should be allowed or not, To render a page in frames.
Setting UP X-Frame-Options:
There are 3 ways of setting up X-Frame-Options in a Web server.
This directive allows the page to be rendered in the frame if the frame has same origin as the page.
ALLOW FROM URI:
This directive has now became obsolete and shouldn’t be used.using this option , The page can be rendered in that is originated form specific uri.
This will completed deny the pages to be rendered in frame or iframe.
Let’s go ahead and implement X-Frame-Option in Nginx.To do so, Login to the server, Go the directory where Nginx is installed.In most cases it will be /etc/nginx/ directory.
Check out these articles:
Take the backup of nginx.conf before modifying.
open nginx.conf file and then add the below parameter in the http block.
add_header X-Frame-Options SAMEORIGIN;
save Nginx configuration and restart the Nginx service.
Verifying above configuration:
To test the same, You can use web developer tools to see the response of HTTP headers or using the Online tools.
Here is the configuration for DENY & ALLOW FROM URI:
add_header X-Frame-Options "allow-from https://domain.com/";
add_header X-Frame-Options "DENY";
I hope this helps to secure your Nginx web server from Clickjacking attacks.
Please do check out my other useful resources.