Clickjacking is a malicious technique of tricking a web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer when they click on seemingly innocuous web pages.
A Clickjack takes the form of an embedded code or a script that executes without the user's knowledge i.e. clicking on a button performs another function.
IIS server
To configure an Internet Information Services (IIS) server:
- On the OSCE server, open Command Prompt with administrative privilege.
- Execute the following command:
“C:\Windows\System32\inetsrv\appcmd.exe\" set config "OfficeScan" -section:httpProtocol "/+customHeaders.[name='X-Frame-Options',value='SAMEORIGIN']”
- Close the command window.
Apache server
To configure an Apache server:
- On the OSCE server, open the httpd.conf file in the PCCSRV\Apache2\conf directory.
- Add the following information into the httpd.conf file:
#set up response header
<IfModule mod_headers.c>
Header always append X-Frame-Options SAMEORIGIN
Header set Content-Security-Policy "default-src 'self'"
</IfModule> - Save and close the httpd.conf file.
- Restart Apache2.2 service.