1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Setting up the header "X-Frame-Options"
This guide details the header "X-Frame-Options" which can be used for the purpose of protecting itself in particular from attack of clickjacking Note that the "X-Frame-Options" header may not be supported by all web browsers. It is therefore advisable to combine it with other methods to enhance the security of your website.
Possible values for the header
The "X-Frame-Options" header can be set to prevent a website from being loaded into a frame or iframe. There are three possible values for this header:
- "DENY": the website cannot be loaded in a frame or iframe
- "SAMEORIGIN": the website can be loaded in a frame or iframe only if the source of the frame or iframe belongs to the same domain as the website
- "ALLOW-FROM uri": the website can be loaded in a frame or iframe only from the specified URI
You can set this header by adding the following lines to your .htaccess file:
Header set X-Frame-Options "DENY"
or using the header() function of PHP because it is executed in FPM, in the same way as during the STS deactivation e.g.:
header('X-Frame-Options: DENY');
Replace "DENY" with the desired value for this header.