I'm currently working on Shopify app, one of their main requirement is to add an iframe-protection. here is more info
Currently, to resolve this I need the CSP to set should be in this format :
Content-Security-Policy: frame-ancestors https://shopify-dev.myshopify.com https://admin.shopify.com;
The https://shopify-dev.myshopify.com in above code should be the merchant/ requester domain.
What I tried?
I created .htaccess file with following, it's not adding the dynamic url.
<IfModule mod_rewrite.c>
RewriteEngine On
Header set Content-Security-Policy "frame-ancestors '%{HTTP_HOST}' 'https://admin.shopify.com';"
</IfModule>
This is what I'm getting in console:
Apache
On Apache, you would need to do it like this instead:
### Apache ###
Header set Content-Security-Policy "frame-ancestors https://%{HTTP_HOST}e https://admin.shopify.com;"
Note the e after %{HTTP_HOST}e (specific syntax for mod_headers). I've also removed the single quotes (not present in the Spotify example) and included the https:// protocol.
The <IfModule> and RewriteEngine On directives are irrelevant here.
Reference:
https://httpd.apache.org/docs/current/mod/mod_headers.html#header
UPDATE:
LiteSpeed
However, if you are using LiteSpeed (as opposed to Apache) you will instead need to first explicitly assign the Host header to an environment variable and use this in the Header directive instead. (Apache is able to access server variables directly using this syntax, but not LiteSpeed.)
For example:
### LiteSpeed ###
# Assign the "Host" header to an env var "HOSTNAME"
SetEnvIf Host "(.*)" HOSTNAME=$1
# Use "HOSTNAME" (env var) instead in the Header directive
Header set X-Content-Security-Policy "frame-ancestors https://%{HOSTNAME}e https://admin.shopify.com;"
Attempting to use the syntax %{HTTP_HOST} (as you originally had) on Apache would have resulted in a 500 Internal Server Error (with the error "Unrecognized header format %" being reported in the error logs). However, on LiteSpeed this just outputs the literal string {HTTP_HOST} and no error.
i'm tried to enable X-FRAME only my spasific VH
on httpd-default.conf
i set the line:
Header always append X-Frame-Options SAMEORIGIN
on my website that i need to enable X-FRAME from specific Source:
Header always append X-Frame-Options "ALLOW-FROM https://sites.com"
my main idea it's to block by default X-FRAME
using apache 2.4
thanks
I had a problem using Header always append... (sometimes doesn't works) so I changed to:
Header set X-Frame-Options "ALLOW-FROM https://sites.com"
and it works!
Only remember than Chrome doesn't have support for ALLOW-FROM so it will be ignored and always can pass.
PD: It´s recomended to avoid the use of X-Frame-Options and change to Content Security Policy using frame-src: 'src' https://sites.com 'etc';
I got a error when i using x-frame headers option with apache.
Header always append X-Frame-Options ALLOW-FROM site1,site2,site3
or
Header always append X-Frame-Options ALLOW-FROM=site1,site2,site3
or
Header always append X-Frame-Options ALLOW-FROM=site1
Header always append X-Frame-Options ALLOW-FROM=site2
Header always append X-Frame-Options ALLOW-FROM=site3
How could i set the X-Frame-Options: ALLOW-FROM to support more than a single domain?
Thanks!
It's worth noting that ALLOW-FROM is being removed from Firefox 70, and other browsers are likely to follow. You will want to use CSP's frame-ancestors directive instead, which is supported in about 95% of browsers.
Your example would then be:
Header always append Content-Security-Policy "frame-ancestors site1 site2 site3;"
EDIT: frame-ancestors overwrites X-FRAME-OPTIONS in new browsers, so theroetically you could set a value for old browsers in there and have CSP overwrite it in new browsers, but the problem is that there is no X-FRAME-OPTIONS value that will let you be embedded in multiple webpages. The only valid options are deny (not allowed anywhere), sameorigin (your website only) and allow-from (removed from modern browsers, only allowed one site anyway).
The old X-FRAME-OPTIONS value that you want to overwrite is none at all. That will allow you to embed your site in multiple other sites (all of them) and restrict it to the sites you allow in modern browsers.
If not embedding in disallowed sites is more important than embedding in allowed sites, then combine the above with:
Header always append X-Frame-Options "DENY"
That will prevent your site being embedded in all sites in about 3% of browsers, shown only in the allowed sites in 95% of browsers, and shown everywhere in the remaining 2% (even X-FRAME-OPTIONS isn't supported everywhere).
EDIT 17/01/2018 :
This is what is correct :
Header set X-Frame-Options SAMEORIGIN
Header append X-Frame-Options "ALLOW-FROM http://www.example.com/"
Header append X-Frame-Options "ALLOW-FROM http://example.com/"
Header append X-Frame-Options "ALLOW-FROM https://www.example.com/"
Header append X-Frame-Options "ALLOW-FROM https://example.com/"
So basicaly you only allow iframes from your site (SAMEORIGIN) and you specify with an "append" a list of allowed url. if you don't add the "append" each line will overwrite the previous one.
This actually works with internet explorer 11, doesn't work in Firefox 57, and is ignored by Chrome...
testing with https://securityheaders.io will not give you a "A" because they can't handle multiple uri
We couldn't detect a valid configuration. Expected values are "DENY", "SAMEORIGIN", "ALLOW-FROM (URL)" and "ALLOWALL".
Another possibility which seems to work in IE11 and Firefox is :
Header always set X-Frame-Options "ALLOW-FROM https://www.example.fr/ https://example.fr/ http://www.example.fr/ http://example.fr/"
It gives a "A" when you check the result with https://securityheaders.io
By the way i'm wondering what's the point of using a security setting that you can bypass using the most used browser in the world (Chrome) ??
SetEnvIf Referer "^(https:\/\/.*\.example1\.com)/.*" X_FRAME_OPTIONS_ALLOWED=$1
SetEnvIf Referer "^(https:\/\/.*\.example2\.com)/.*" X_FRAME_OPTIONS_ALLOWED=$1
Header set X-Frame-Options SAMEORIGIN
Header append X-Frame-Options "ALLOW-FROM %{X_FRAME_OPTIONS_ALLOWED}e" env=X_FRAME_OPTIONS_ALLOWED`
Since the support for ALLOW-FROM is varying in both implementation and support across browsers I tried the following solution which either sets SAMEORIGIN or conditionally removes X-Frame-Options altogether.
Tried on apache-2.4.
# Set X-Frame-Options SAMEORIGIN _unless_ the referer is any of my allowed sites.
# Add one or more SetEnvIf - whatever suits your purpose
# This part you MUST adapt.
# ALLOW https://my.allowed.site.com
SetEnvIf Referer "^https:\/\/my\.allowed\.site\.com\/.*" X_FRAME_OPTIONS_ALLOWED
# ALLOW https://mysite.tld.com and https://yoursite.tld.com
SetEnvIf Referer "^https:\/\/(mysite|yoursite)\.tld\.com\/.*" X_FRAME_OPTIONS_ALLOWED
# ALLOW https://mysite.tld.com and https://yoursite.theother.org
SetEnvIf Referer "^https:\/\/(mysite\.tld\.com|yoursite\.theother\.org)\/.*" X_FRAME_OPTIONS_ALLOWED
# Set X-Frame-Options = SAMEORIGIN _unless_ the referer is in the allow list.
Header always set X-Frame-Options SAMEORIGIN env=!X_FRAME_OPTIONS_ALLOWED
# Always _unset_ X-Frame-Options if the referer is in the allow list.
Header always unset X-Frame-Options env=X_FRAME_OPTIONS_ALLOWED
You could either add multiple SetEnvIf or expand the regex - YMMV.
Your colleagues will love your for making things readable...
Header always append X-Frame-Options ALLOW-FROM=site1
Header always append X-Frame-Options ALLOW-FROM=site2
Header always append X-Frame-Options ALLOW-FROM=site3
This way is OK.
But I got an error when i first using it.
Maybe i make a wrong character.
EDIT 17/01/2018 :
This solution below is not correct, as the setting on each line is overwriting the previous one. so you only allow http://example.com/
Finaly i found the correct syntax for that. According to this site :
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Header set X-Frame-Options "ALLOW-FROM https://example.com/"
This worked for me :
Header always set X-Frame-Options "ALLOW-FROM https://www.example.com/"
Header always set X-Frame-Options "ALLOW-FROM https://example.com/"
Header always set X-Frame-Options "ALLOW-FROM http://www.example.com/"
Header always set X-Frame-Options "ALLOW-FROM http://example.com/"
The specification for X-Frame-Options only specifies to use one of DENY, SAMEORIGIN and ALLOW-FROM (https://www.rfc-editor.org/rfc/rfc7034#section-2.1). Some browsers may support multiple ALLOW-FROM, but many browsers don't support ALLOW-FROM at all.
Your best option is to implement the Content-Security-Policy header with the frame-ancestors directive. This allows multiple URIs to be configured and is understood by most browsers but IE and Edge 14 and below.
For IE and Edge 14 support you can also set the X-Frame-Options with ALLOW-FROM. If you create a whitelist of values you may be able to set the ALLOW-FROM URI based on the referrer.
It doesn't hurt to set both headers. Browsers that understand Content-Security-Policy frame-ancestors will ignore X-Frame-Options and those that don't understand frame-ancestors will ignore it and use X-Frame-Options if available. Combining
https://caniuse.com/#search=csp and
https://caniuse.com/#search=x-frame-options this will work for all browsers except "UC Browser for Android"
I have purchased a ssl certificate recently and have redirected all my traffic on secured https way but i want to get included in hsts preload list. For that reason i want to include hsts header. Is there any way using .htaccess or httpd.conf or if there is another way then please tell me in detail
you can set the hsts header in a .htaccess file:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
#see How to set HSTS header from .htaccess only on HTTPS for more information
or with php:
header('Strict-Transport-Security: max-age=63072000; includeSubdomains; preload');
Also you can put HSTS header on application side, I mean PHP. Add following code top of your header.php or index.php
<?php header("strict-transport-security: max-age=600");
People who uses shared hosting does not have an access to apache.conf. So proper way to do this is putting it on apache.conf.
I try to put a X-FRAME-OPTIONS to the http header to prevent the Clickjacking attack.
If I set the header in the httpd.conf or .htaccess file like this, it works.
Header set X-Frame-Options SAMEORIGIN
But there are several places that using the iFrame on my own website, if I do this, it will also block the iFrame on my own website. So I try to add a exception for my own website. Check if the request is from my own website, then allow the iFrame on the page. I tried this, but it didn't work.
SetEnvIf Host http://myownwebsite\.com iframes_are_cool
Header set X-Frame-Options SAMEORIGIN env=!iframes_are_cool
Could someone help me with this?
SetEnvIf is not as flexible so I recommend to use simply the // sections. Give the below a try:
<If "! %{HOST} =~ /http://myownwebsite\.com/">
Header set X-Frame-Options SAMEORIGIN
</If>