Blogs

Secure Apache from Clickjacking
How to Secure Apache from Clickjacking

 

I will explain how to secure Apache from clickjacking with an important Apache2 configuration. I first came across clickjacking while working with security checklist in AEM. Let’s understand what clickjacking is and how we can prevent clickjacking attacks in AEM.
Q1. What is clickjacking?

Clickjacking, also known as a “UI redress attack”, is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link to another page when they were intending to click on the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.

If you’re still not clear about this concept then watch the video below.

Q2. How to stop clickjacking in AEM through the Apache2 Server?
Use X-Frame-Options, the header configuration, to prevent clickjacking attacks in AEM.
Q3. What is the syntax of this configuration?

Header set X-Frame-Options: “sameorigin”

Q4. Where do we find the X-Frame-Options configuration?
In Apache2.4 you have a security.conf file in conf-available directory. In this file, search for X-Frame-Options, it is already present there but commented by default. Now you have two options.
  1. Uncomment this setting and restart your Apache2 server. 
  2. Copy and paste this setting in apache2.conf file, uncomment it, and restart your Apache server.

While learning how to secure apache from clickjacking, I copied and pasted this setting in apache2.conf file, uncommented it and restarted my Apache2 server.

Q5. Apache Server is throwing error when restarting after this configuration?
It may be possible that you will get an error at the time of starting the Apache2 server, after adding this configuration. The reason is that this configuration requires mod_headers.so module enabled, which is disabled by default. So enable mod_headers.so module and your Apache server will start running successfully.
Q6. How to enable Headers.mod in Apache2 server?

For enabling this module you have a headers.load file present in mods-available directory in your Apache2 server. In my case, it is present at /etc/apche2/mods-available. Just do one thing, create a softlink in your mods-enabled folder. If you are an Ubuntu user execute this command-

 ln -s /etc/apache2/mods-available/header.load /etc/apache2/mods-enabled/headers.load
Now you will see this soft link in your mods-enabled folder. Restart your Apache2 Server.
 Q7. How to check whether the configuration is working or not?

After restarting the Apache2 server, just hit a non-cached page via Apache2 Server. Open debugger and check the response header. You will see X-Frame-Options header field as shown below.

If you get this option on your page it means your configuration is working well and you’ve learnt how to secure apache from clickjacking.

Read about other solutions for problems in AEM working in our blog. Argil DX comes up with innovative ideas, tools and solutions to help developers and businesses get the best out of their Experience Manager implementation.

Share it:

Ankur Chauhan

July 27, 2015

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Comment

Related Posts