Clickjacking is a well-known web application vulnerabilities. In my last post, I talked about how to secure Apache Web Server, IBM HTTP Server & .htaccess and some of you asked about Nginx. So here you go… The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe. This will prevent site content embedded into other sites. Did you every try embed Google.com on your website as a frame? You can’t because it’s protected and you can protect it too. There are three settings for X-Frame-Options:

Implementation

Go to where Nginx is installed and then a conf folder Take a backup before modifying Add the following parameter in nginx.conf under server section

Restart Nginx webserver

Verification

You can use a web developer tool in the browser to view Response headers. It should look like this.

Alternatively, you can also use HTTP Header online tool to verify this. I hope this helps. For more on security, check out my Nginx Hardening & Security guide. This is just one of the hundreds of security fixes for a website. If you are looking for a complete security solution, you may consider cloud-based security providers like SUCURI, or Cloudflare.

Secure Nginx from Clickjacking with X FRAME OPTIONS - 97