What is Apache Clickjacking Attack and How to Fix
Clickjacking is a well-known web application vulnerabilities. For example, it was used as an attack on Twitter.
To defence Clickjacking attack on your Apache HTTPD web server, you can use X-FRAME-OPTIONS to avoid your website being hacked from Clickjacking.
The X-Frame-Options in HTTP response header can be used to indicate whether or not a browser should be allowed to open a page in frame or iframe.
This will prevent site content embedded into other sites.
Apache HTTP Server based webServers like IBM HTTP Server
- Login to Apache or IHS server
- Take a backup of configuration file
- Add following line in conf file.
Header always append X-Frame-Options SAMEORIGIN
- Save the conf.
- Restart the respective web server to test the application
More from Middleware Inventory
Clickjacking attack - IIS
Overview Clickjacking (UI redress attack) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages. Affected versions IIS 7.x IIS 8.x Solution …
Sweet 32 Attack - Apache
Cross Site Scripting Attack - Apache/IHS
Overview Cross Site Scripting (XSS) protection can be bypassed in many browsers. You can apply this protection for a web application if it was disabled by the user. This is used by a majority of giant web companies like Facebook, Twitter, Google, etc. Solution Go to $Web_Server/conf directory Open…
How to Disable the Weak Ciphers – Apache/IHS
Overview SSL Cipher is an encryption algorithm, which is used as a key between two computers over the Internet. Data encryption is the process of converting plain text into secret ciphered codes. It’s based on your web server SSL Cipher configuration and strong protocol that allows data encryption to take…
Disable WebServer Banner Apache/IHS
Overview Don’t display or send Apache version (Set ServerTokens) By default, the server HTTP response header will contains apache and php version. Something similar to the following. This is harmful, as we don’t want an attacker to know about the specific version number. Apache can reveal information by default configuration,…