Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Set x-frame-options to allow and disallow certain URLs to frame a page

Tags:

apache

.htaccess

clickjacking

I want to prevent my website from being clickjacked by someone else. So in my .htaccess file, I placed this code (which is working correctly):

Header set X-Frame-Options SAMEORIGIN

My website is now secured from being iframed by any sites in the internet. However, I recently developed a mobile application that fetches pages under the about-us hosted in my website (my website contains www.mywebsite/about-us/author, www.mywebsite/about-us/company) to display the same details on the app. So what I did was I added the lines on my .htaccess file:

SetEnvIf REQUEST_URI ^about-us/$ aboutus_page
Header set X-Frame-Options SAMEORIGIN env=!aboutus_page

I want the rest of my pages to be free from being iframed except all pages under mywebsite/about-us/ "any page"

like image 365
Joey Avatar asked Sep 16 '15 08:09

Joey

People also ask

What does X-frame-options SAMEORIGIN mean?

X-Frame-Options:SAMEORIGIN - This means that the page can only be embedded in a frame on a page with the same origin as itself. X-Frame-Options:ALLOW-FROM - The page can only be displayed in a frame on the specified origin. This only works in browsers that support this header.

How do I change X-frame-options in Chrome?

Enabling X-Frame-Options headerOpen up the Network panel in Chrome DevTools and if your site is using a security header it will show up on the Headers tab. Another quick way to check your security headers is to quickly scan your site with a free tool, securityheaders.io, created by Scott Helme.

Why would you use X-frame-options to prevent your website from supporting an iframe?

X-Frame-Options prevents webpages from being loaded in iframes, which prevents it from being overlaid over another website. The victim's browser actually applies the security control, this is because all browsers respect the X-Frame-Options header and will refuse to load any webpages with the header set in a frame.

1 Answers

At least in Apache 2.4 %{REQUEST_URI} won't work for the usual SPA kind of URI. Use %{THE_REQUEST} instead. Then SetEnvIf is not as flexible so I recommend to use simply the // sections. Just tested the below and works:

<If "! %{THE_REQUEST} =~ /.*about-us.*/">
  Header set X-Frame-Options SAMEORIGIN
</If>
like image 186
Nestor Urquiza Avatar answered Oct 16 '22 13:10

Nestor Urquiza
Sign in to Comment

Related questions

How to benchmark apache/nginx setup
Webmin error on applying configuration after changing BIND DNS Server
Running concurrent PHP scripts
MAMP Config help, display PHP errors
Compare nginx+Apache+mod_wsgi vs nginx+uWSGI?
How do I redirect domain.com to WWW.domain.com under Django?
Why would you need a slash at the end of a URL?
.htaccess Is Not working in Linux(Debian) Apache2
How to Install ActiveMQ server in MAC OS system?
Unable to start XAMPP Apache server on MacOS-Sierra
How to connect android client to the localhost of Apache server (php) inside my laptop?
svn update and commit stopped working
How to combine Prestashop (PHP) and DjangoCMS (Python)
Is there a way to get to partially uploaded files?
Htaccess absolute path
Puppet Dashboard - Directory Index Forbidden

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!