How to Use the Frame Blocking Facility (Anti-Clickjacking Defence) in Modern Web Browsers

Configure Apache to Prevent Your Site From Being Framed


How to Use the Frame Blocking Facility (Anti-Clickjacking Defence) in Modern Web Browsers

by Christopher Heng, thesitewizard.com

This article has been superseded by How to Prevent Your Website from being Placed in a Frame. Please read the latter for the latest information.

One of the features that came with the release of Internet Explorer 8 ("IE 8") many years ago was the addition of a feature that allows webmasters to prevent other sites from putting their website in a frame. This feature has since been added to all major browsers today, namely Microsoft Edge, Firefox, Chrome and Safari.

Microsoft calls it a "clickjacking" defence (or "defense" if you use US English) because it is supposed to help to prevent malicious websites from hijacking the clicks on your page. That is, it is designed to prevent criminals and whatnot from putting your website in a frame, and using a script (a computer program that is embedded in their web page) to redirect any clicks your visitors make on your page to a destination of the criminals' choosing.

Of course some of you might say that there is already a commonly-used method to prevent your website from being framed, using JavaScript, as mentioned in one of thesitewizard.com's early articles on breaking out of frames as well as auto-generated by the Free Frame Breakout Wizard. However, the JavaScript method is far from foolproof, because it relies on a script embedded in your page to do the job. The general principle is that if something can be programmatically blocked by a script on a web page, the block can also be programmatically removed by the framing site's script. And the removal can probably also be programmatically prevented. And so on. It's an arms race.

Basically, nothing beats a specially designed facility built into a web browser intended from ground-up to prevent framing by external sites. And this facility is now available should you wish to use it.

Note: this article is meant for existing webmasters. If you are a webmaster-to-be, looking to see how easy or hard it is to make your own website, please read the How to Start / Create Your Own Website instead. If you are an ordinary computer user, searching for ways to protect your own computer, install an antivirus program instead, such as one of those on the Free Antivirus Software page, and keep it updated.

How to Prevent Your Website From Being Framed

To prevent your site from being framed, your web server (the program used by your web host to "serve" your website to your users) needs to send a special instruction to your visitors' web browser. This instruction is called the "X-FRAME-OPTIONS header".

There are currently two variations of the X-FRAME-OPTIONS header. The first, specifying "DENY", tells the browser that your website is not be placed in a frame under any circumstance. The second, specifying "SAMEORIGIN", instructs browsers not to put your site in a frame unless the framing page is also on the same domain. That is to say, in the second case, only a web page on your own domain can put the other pages on that domain in a frame. Sites on other domains (even if they belong to you) will not be allowed to.

For the following procedure to work, your site must currently be hosted on an Apache web server, and your web host must allow you to change the server settings using a .htaccess file. This probably applies to most people using a commercial web host, although you may want to check with your web host to see if this is true for you as well.

  1. Connect to your website using an FTP program. If you don't know what this is, and don't already use one, see the Filezilla tutorial to learn how you can do this using one such free FTP software.

  2. Go to the folder on your website that contains your home page file. That is, if your home page is www.example.com/index.html, go to the folder that contains the index.html file for your home page. (Be careful, there may be an index.html file in every subfolder, so make sure you go to the topmost web folder, the one where your home page file lives.)

    If there is a .htaccess file in that folder, download it to your computer. If you don't know where to download it to, just put it on your desktop. Note that this must be done using your FTP program. It cannot be done using a web browser. For example, you can't download it by going to your website with www.example.com/.htaccess. It won't work (unless your web host has misconfigured the server).

    If you can't find any .htaccess file in that folder, make sure that your FTP program is configured to show you hidden files. If it is, and you still can't find the .htaccess file, it means you don't have one. That's okay. We'll just create our own below.

  3. Start up a plain text editor. That is, if you use Windows, start up Notepad. (For example, to do this on Windows 7, hit the Start button, type "notepad" and hit the ENTER key.) Very important: do not use a wordprocessor. Do not use Microsoft Word. Do not use Wordpad. Do not use Microsoft Office, Excel, Powerpoint or any fancy software that allows you to do things like underline sentences or make words bold or the like. Those are the wrong type of programs for the task. Don't try to be clever here, or you may disable your entire website.

  4. If you have downloaded an existing .htaccess file, open that file in the editor. To do this, click the "File" menu, followed by the "Open" menu item, look for the .htaccess file on your desktop (or wherever you put it earlier), and click the "Open" button.

    If you don't have an existing .htaccess file, skip to the next step.

  5. Add one of the following lines to the file. If you're adding to an existing file, go to the end of the file, hit the ENTER key to make a new line and then add the line. If yours is a new file (ie, empty), just start typing. (Actually, instead of typing, copy and paste the line I supplied. There's less room for typing errors that way.)

    For those who only want to prevent sites other than your current site from framing your pages, add the following line.

    Header set X-FRAME-OPTIONS "SAMEORIGIN"

    For those who want to prevent all sites (including the one that you're protecting) from framing your site, add the following line instead.

    Header set X-FRAME-OPTIONS "DENY"

    Do not add both lines. Either add the SAMEORIGIN line or the DENY line, not both. If you've forgotten which option does what, go back and reread the explanation.

  6. Hit the ENTER key to add a blank line after adding the line.

  7. Save the file (click the "File" menu, followed by the "Save" menu item). For users of Notepad, if you are creating a brand new file because you didn't have a .htaccess file previously, make sure you type ".htaccess", including the quotes (note: I said "including"), as the filename into the "Save As" dialog box. Then publish it, using your FTP program, to the same location you previously obtained it from. If there wasn't such a file before, make sure you publish it to the same folder as your website's home page.

That's it. All browsers that support this facility should now refuse to let other sites put any of your web pages in a frame. If you used the DENY option, it will also refuse to let your own site frame its own pages.

Copyright © 2009-2020 by Christopher Heng. All rights reserved.
Get more free tips and articles like this, on web design, promotion, revenue and scripting, from https://www.thesitewizard.com/.

thesitewizard™ News Feed (RSS Site Feed)  Subscribe to thesitewizard.com newsfeed

Do you find this article useful? You can learn of new articles and scripts that are published on thesitewizard.com by subscribing to the RSS feed. Simply point your RSS feed reader or a browser that supports RSS feeds at https://www.thesitewizard.com/thesitewizard.xml. You can read more about how to subscribe to RSS site feeds from my RSS FAQ.

Please Do Not Reprint This Article

This article is copyrighted. Please do not reproduce or distribute this article in whole or part, in any form.

Related Articles

New Articles

Popular Articles

How to Link to This Page

It will appear on your page as:

How to Use the Frame Blocking Facility (Anti-Clickjacking Defence) in Modern Web Browsers





Home
Donate
Contact
Link to Us
No Spam Policy
Privacy Policy
Topics
Site Map

Getting Started
Web Design
Search Engines
Revenue Making
Domains
Web Hosting
Blogging
JavaScripts
PHP
Perl / CGI
HTML
CSS
.htaccess / Apache
Newsletters
General
Seasonal
Reviews
FAQs
Wizards

 

 
Free webmasters and programmers resources, scripts and tutorials
 
HowtoHaven.com: Free How-To Guides
 
Site Design Tips at thesitewizard.com
Find this site useful?
Please link to us.