NGINX

Prevent Clickjacking Attacks with X-Frame-Options Header

Configure your Nginx server to add the `X-Frame-Options` HTTP header, preventing your website from being embedded in iframes and protecting users from clickjacking attacks.

server {
    listen 80;
    listen 443 ssl;
    server_name example.com www.example.com;

    # ... other server configurations (SSL, root, etc.) ...

    # X-Frame-Options to prevent Clickjacking
    # DENY: No domain can frame this page.
    # SAMEORIGIN: Only pages from the same origin can frame this page.
    # ALLOW-FROM uri: (Deprecated by modern browsers, use CSP frame-ancestors instead if specific external domains are needed)
    add_header X-Frame-Options "SAMEORIGIN" always;

    # You might also consider using CSP frame-ancestors directive for more granular control:
    # add_header Content-Security-Policy "frame-ancestors 'self' https://trusted.example.com;" always;

    location / {
        # ... proxy_pass or root directive ...
    }
}
How it works: This Nginx configuration snippet demonstrates how to prevent clickjacking attacks by adding the `X-Frame-Options` HTTP header. The `SAMEORIGIN` directive ensures that the web page can only be embedded in a frame on the same origin as the page itself. Using `DENY` would completely prevent framing from any domain. This header is a simple yet effective way to protect users from malicious sites that attempt to embed your content within an invisible iframe to trick users into clicking UI elements. While `X-Frame-Options` is effective, for more complex scenarios, the `frame-ancestors` directive in a Content Security Policy (CSP) header offers more granular control.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs