DEV Community

Cover image for How to Fix Clickjacking on NGINX Server in 6 Simple Steps🔥
Keshav Malik
Keshav Malik

Posted on • Updated on

How to Fix Clickjacking on NGINX Server in 6 Simple Steps🔥

What is Clickjacking?

Clickjacking is the practice of tricking a user into clicking on something different from what they think they are clicking on. This often occurs in web browsers, where scripts can be used to make an invisible iframe appear to the user, but the iframe loads a different website than what the user thinks. For example, when a user clicks on a “Like” button, the user might instead unknowingly be liking the attacker’s Facebook profile.

Clickjacking

How to fix Clickjacking on NGINX server?

There are multiple way to fix Clickjacking Vulnerability, but in this blog post we’ll see how to fix Clickjacking using X-Frame-Options headers.

1. Login to your server

First things first, Login to your server using ssh.

ssh root@<<server_ip>>

2. Open your NGINX Config file

To make changes in the configuration file, use any text editor to edit the file. I’ll be using vi text editor.

Use the following command to open the text editor:

sudo vi /etc/nginx/nginx.conf

Now press i to enter into insert mode (Only for vi text editor)

3. Update the Config file

In the http block of the config file, add the following code block:

add_header X-Frame-Options sameorigin always;

Once done, save the config file by pressing ESC key and then type :x and press enter. (Only for vi text editor)

4. Test the Config File

After saving the configuration file, test the file using following command:

sudo nginx -t

If the output states not successful, you have probably made some mistake in the configuration.

5. Restart NGINX Server

If the result of the above command was successful, you need to restart your server to update the changes that we have made.

sudo service nginx restart

or use sudo systemctl restart nginx

6. Verify the results

Now, we are already done with the heavy lifting. It’s time to test if Clickjacking Vulnerability is fixed or not. Vulnerable.Live is an online platform to test for Clickjacking.

Go to Vulnerable.Live and Enter your domain name.

Vulnerable.Live Dashboard

Vulnerable.Live helps test for Clickjacking and generate report and POC for the vulnerability.

Conclusion

Clickjacking is usually considered as a low hanging fruit but you never know which vulnerability hackers can exploit. Keep your Web Application secure from hackers using Vulnerable.Live.

Discussion (2)

Collapse
dsp9107 profile image
Dhawal Singh Panwar

This is good. 🎯

Never knew there was a sudo nginx -t though. You saved me from restarting NGINX multiple times just to discover that there's a typo. 😆

Collapse
theinfosecguy profile image
Keshav Malik Author

Thanks Brother 😄
Hope it helps 🍻😁