Webmasters Only… I will not support anything!
So called “clickjacking” defence (or “defense” if you use US English) because it is supposed to help to prevent malicious websites from hijacking your web page. That is, it is designed to prevent hijackers from putting your website in a web frame, and using a script (a computer program that is embedded in their web page).
To make this foolproof your .htaccess it your top.
Update: The latest versions of all major browsers, that is, Internet Explorer, Firefox, Opera, Chrome and Safari, now support the X-Frame-Options method described below.
To prevent your site from being
framed, your web server (the program used by your web host to “serve”
your website to your users) needs to send a special instruction to your
visitors’ web browser. This instruction is called the “
There are currently two variations of the
X-FRAME-OPTIONS header. The first, specifying “
DENY“, tells IE 8 that your website is not be placed in a frame under any circumstance. The second, specifying “
instructs IE 8 not to put your site in a frame unless the framing page
is also on the same domain. That is to say, in the second case, only a
web page on your own domain can put the other pages on that domain in a
frame. Sites on other domains (even if they belong to you) will not be
For the following procedure to work, your site must
currently be hosted on an Apache web server, and your web host must
allow you to change the server settings using a
file. This probably applies to most people using a commercial web host,
although you may want to check with your web host to see if this is true
for you as well.
- Connect to your website using an FTP program. If you don’t know what this is, and don’t already use one, see Filezilla to learn how you can do this using one such free FTP software.
- Go to the folder on your website that contains your home page file. That is, if your home page is
www.domain.com/index.html, go to the folder that contains the
index.htmlfile for your home page. (Be careful, there may be an
index.htmlfile in every subfolder, so make sure you go to the topmost web folder, the one where your home page file lives.)If there is a
.htaccessfile in that folder, download it to your computer. If you don’t know where to download it to, just put it on your desktop. Note that this must be done using your FTP program. It cannot be done using a web browser. For example, you can’t download it by going to your website with
www.domain.com/.htaccess. It won’t work (unless your web host has misconfigured the server).If you can’t find any
.htaccessfile in that folder, make sure that your FTP program is configured to show you hidden files. If it is, and you still can’t find the
.htaccessfile, it means you don’t have one. That’s okay. We’ll just create our own below.
- Start up an text editor. “Notepad” Do not use Microsoft Word. Do not use Wordpad. Do not use Microsoft Office, Excel, Powerpoint or any fancy software that allows you to do things like underline sentences or make words bold or the like. Those are the wrong type of programs for the task. Don’t try to be clever here, or you may disable your entire website.
- If you have downloaded an existing
.htaccessfile, open that file in the editor. To do this, click the “File” menu, followed by the “Open” menu item, look for the
.htaccessfile on your desktop (or wherever you put it earlier), and click the “Open” button.If you don’t have an existing
.htaccessfile, skip to the next step.
- Add one of the following lines to the file. If you’re adding to an existing file, go to the end of the file, hit the ENTER key to make a new line and then add the line. If yours is a new file (ie, empty), just start typing. (Actually, instead of typing, copy and paste the line I supplied. There’s less room for typing errors that way.)For those who only want to prevent sites other than your current site from framing your pages, add the following line.Header append X-FRAME-OPTIONS “SAMEORIGIN”For those who want to prevent all sites (including the one that you’re protecting) from framing your site, add the following line instead.Header append X-FRAME-OPTIONS “DENY”Do not add both lines. Either add the SAMEORIGIN line or the DENY line, not both. If you’ve forgotten which option does what, go back and reread the explanation.
- Hit the ENTER key to add a blank line after adding the line.
the file (click the “File” menu, followed by the “Save” menu item). If
you are creating a brand new file because you didn’t have a
.htaccessfile previously, make sure you type
".htaccess", including the quotes (note: I said “including”), as the filename into the “Save As” dialog box. Then publish it, using your FTP program, to the same location you previously obtained it from. If there wasn’t such a file before, make sure you publish it to the same folder as your website’s home page.
That’s it. All browsers that support this facility, including IE8, should now refuse to let other sites put any of your web pages in a frame. If you used the DENY option, it will also refuse to let your own site frame its own pages.