What is Clickjacking?
Clickjacking is the practice of tricking a user into clicking on something different from what they think they are clicking on. This often occurs in web browsers, where scripts can be used to make an invisible iframe appear to the user, but the iframe loads a different website than what the user thinks. For example, when a user clicks on a “Like” button, the user might instead unknowingly be liking the attacker’s Facebook profile.
How to fix Clickjacking on NGINX server?
There are multiple way to fix Clickjacking Vulnerability, but in this blog post we’ll see how to fix Clickjacking using X-Frame-Options headers.
1. Login to your server
First things first, Login to your server using ssh.
2. Open your NGINX Config file
To make changes in the configuration file, use any text editor to edit the file. I’ll be using vi text editor.
Use the following command to open the text editor:
sudo vi /etc/nginx/nginx.conf
Now press i to enter into insert mode (Only for vi text editor)
3. Update the Config file
In the http block of the config file, add the following code block:
add_header X-Frame-Options sameorigin always;
Once done, save the config file by pressing ESC key and then type :x and press enter. (Only for vi text editor)
4. Test the Config File
After saving the configuration file, test the file using following command:
sudo nginx -t
If the output states not successful, you have probably made some mistake in the configuration.
5. Restart NGINX Server
If the result of the above command was successful, you need to restart your server to update the changes that we have made.
sudo service nginx restart
sudo systemctl restart nginx
6. Verify the results
Now, we are already done with the heavy lifting. It’s time to test if Clickjacking Vulnerability is fixed or not. Vulnerable.Live is an online platform to test for Clickjacking.
Go to Vulnerable.Live and Enter your domain name.
Vulnerable.Live helps test for Clickjacking and generate report and POC for the vulnerability.
Clickjacking is usually considered as a low hanging fruit but you never know which vulnerability hackers can exploit. Keep your Web Application secure from hackers using Vulnerable.Live.