Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to another page, most likely owned by another application, domain, or both.
There are two main ways to prevent clickjacking:
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>,<iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.
The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.
There are three possible values for X-Frame-Options:
DENY
SAMEORIGIN
ALLOW-FROM uri
To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration: Header append X-FRAME-OPTIONS "SAMEORIGIN" (you can add to .htaccess file or httpd.conf)
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
To configure IIS to send the X-Frame-Options header, add this your site's Web.config file:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
...
</system.webServer>
Apache
The traditional way to disable specific HTTP Methods in the Apache web server is with the use of mod rewrite. mod rewrite is a rules-based, rewriting engine that can be loaded in the standard apache configuration file or as part of an .htaccess file. There are a minimum of four components to a mod_rewrite rule; the directive that loads the module, the directive that turns the rewrite engine on, a rewrite condition, and a rewrite rule.
Steps:
Search your apache configuration file(s) for mod_rewrite.so. If it is not found, add the following line to your apache configuration file (typically known as httpd.conf):
LoadModule rewrite_module /usr/lib/apache2/modules/mod_rewrite.so
To enable rewrite engine,
RewriteEngine On
To disable option,
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
i.e.,
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^OPTIONS
RewriteRule .* - [F]
Flags are set ? i.e. [F] for forbidden request, [R] for redirecting the page, likewise.
Note:
by default, rewrite configurations are not inherited across virtual servers. Add RewriteEngine On to each virtual host.Tomcat
In Apache Tomcat, security is enforced by way of security constraints that are built into the Java Servlet specification. These are not contained within the main server.xml file within tomcat but within the web.xml configuration file.