How to configure X-Frame-Options header in Nginx

Secure Nginx web server from Clickjacking with X-FRAME-OPTIONS

Photo by Collin on Unsplash

The X-Frame-Options header is a security header that Nginx (and other web servers) can utilize to prevent clickjacking attacks. An attacker uses clickjacking to deceive a user into clicking on a maliciously constructed page that is hidden behind an invisible or disguised iframe on a legitimate website.

You can use the X-Frame-Options header to specify whether your website can be loaded within an iframe on another domain. You may protect your users by specifying the right value for this header, which prevents your website from being embedded in iframes on harmful or illegal domains.

Certainly! There are a couple of ways to include the X-Frame-Options header with a valid directive in Nginx. The following are valid directive options:

DENY Directive: This directive blocks any domain from loading your website in an iframe. It is the hardest method of combating clickjacking violence.

add_header X-Frame-Options "DENY";


SAMEORIGIN Directive: With this directive, your website can only be loaded in an iframe if the parent document is from the same origin (same domain). It allows for some flexibility while also protecting your website against cross-origin framing assaults.

add_header X-Frame-Options "SAMEORIGIN";


Policy on Content Security (CSP) The Frame-Ancients Directive: This directive is preferred for current browsers since it gives you more flexibility over frame options. It enables you to create a Content Security Policy that determines which domains are allowed to embed your website in an iframe.

add_header Content-Security-Policy "frame-ancestors 'self';";


Change '' to the domain(s) you want to enable to embed your website in an iframe. Multiple domains separated by spaces can be added.

You can allow multiple domains in the Content-Security-Policy (CSP) frame-ancestors directive. This lets you define numerous domains that can include your website in an iframe. Here's an example of how to allow multiple domains using the CSP frame-ancestors directive:

add_header Content-Security-Policy "frame-ancestors 'self';";


Select the right directive option depending on your individual needs and security concerns. Once you've decided, insert the corresponding 'add_header' directive into the appropriate Nginx server block. To make the changes take effect, save the configuration file and restart Nginx.

Remember to adapt the settings to the relevant server block and make sure you have permission to alter Nginx's configuration files.

Vishal Vyas [Linux Guru]

Welcome to Linux Guru! Hello, friends. My name is Vishal Vyas, and I am a DevOps engineer with expertise in Linux and Cloud Computing. I am also a Certified Kubernetes Administrator with over 12 years of experience in the IT field, working with various technologies. Through this blog, I aim to share my technical knowledge on Linux, AWS, DevOps, and web technologies. I will be posting about what I have learned from the latest web technologies and similar topics.

Post a Comment

If you have any doubts, Please let me know

Previous Post Next Post