Information
To prevent Clickjacking or UI Redressing attacks, it's important for the server to include an HTTP header which instructs browsers to restrict the content from being framed. There are two headers that may be used. The Content-Security-Policy header, or the X-Frame-Options header. The Header directive allows server HTTP response headers to be added, replaced or merged. We will use the directive to add a server HTTP response header to tell browsers to restrict all of the web pages from being framed by other web sites.
Rationale:
Using iframes and regular web frames to embed malicious content along with expected web content has been a favored attack vector for attacking web clients for a long time. This can happen when the attacker lures the victim to a malicious web site, which uses frames to include the expected content from the legitimate site. The attack can also be performed via XSS (either reflected, DOM or stored XSS) to add the malicious content to the legitimate web site.
To combat this attack vector, either an X-Frame-Options response header or a Content-Security-Policy response header may be used. The Content-Security-Policy header is the preferred solution. The X-Frame-Options header should have a value of either DENY, which prevents all framing, or SAMEORIGIN which prevents framing except via pages which share the same origin. The Content-Security-Policy header may also be to restrict framing with a frame-ancestors directive and a value of none or self
Solution
Perform the following to implement the recommended state:
Add or modify the Header directive for the Content-Security-Policy header in the Apache configuration to have the condition always, an action of append and a value of frame-ancestors self, as shown below.
Header always append Content-Security-Policy "frame-ancestors 'self'"
Default Value:
Neither the Content-Security-Policy HTTP response header nor the X-Frame-Options header is generated by default.