To defence the Clickjacking attack on your Apache web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking.


The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.


This will prevent site content embedded into other sites.


Did you every try embed on your website as a frame? You can’t because it’s protected and you can protect it too.


There are three settings for X-Frame-Options:

SAMEORIGIN: This setting will allow a page to be displayed in a frame on the same origin as the page itself.

DENY: This setting will prevent a page displaying in a frame or iframe.

ALLOW-FROM uri: This setting will allow a page to be displayed only on the specified origin.


Implement in Apache, IBM HTTP Server


  • Login to Apache or IHS server
  • Take a backup of a configuration file
  • Add following line in httpd.conf file
Header always append X-Frame-Options SAMEORIGINCopy


  • Restart the respective webserver to test the application


Implement in Shared Web Hosting


If your website is hosted on shared web hosting, then you won’t have permission to modify httpd.conf.


However, you can achieve this by adding the following line in the .htaccess file.



Change is reflected immediately without doing any restart.



You can use any web developer tool to view Response headers. You can also use an online tool – Header Checker to verify.


Want our admins to secure Apache from Clickjacking with X-FRAME-OPTIONS, hire our experts!!

Was this answer helpful? 0 Users Found This Useful (0 Votes)