kb: how-to
Plesk for Linux
ABT: Group B
Applicable to:
- Plesk for Linux
Question
How to prevent clickjacking using the Apache/nginx directives on the Plesk server?
Answer
To prevent clickjacking, add the X-Frame-Options directive with the DENY value to Apache and nginx configuration of a domain:
-
Go to Domains > example.com > Apache & nginx Settings.
-
For Apache, add this line to the Additional directives for HTTP and Additional directives for HTTPS fields:
CONFIG_TEXT: Header set X-Frame-Options DENY
-
For nginx, add this line to the Additional nginx directives field:
CONFIG_TEXT: add_header X-Frame-Options DENY;
Note: This configuration may break some Roundcube options.
-
Comments
Hi,
1. X-Frame-Options DENY interfere with PrestaShop 8.1.7. If you're adding these directives, when you'll try to add a new product, you'll get a pop-up window with message: domain_name refused to connect.
2. In Mozilla, X-Frame-Options is deprecated: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
3. In Chrome: Remove support for X-Frame-Options in tags - https://developer.chrome.com/blog/chrome-52-deprecations#remove_support_for_x-frame-options_in_tags
For Apache, add this line to the Additional directives for HTTP and Additional directives for HTTPS fields:
Header set Content-Security-Policy "frame-ancestors 'self';"For nginx, add this line to the Additional nginx directives field:
add_header Content-Security-Policy "frame-ancestors 'self';";Please sign in to leave a comment.