Reputation: 509
Set x-frame-options to allow and disallow certain URLs to frame a page
I want to prevent my website from being clickjacked by someone else. So in my .htaccess file, I placed this code (which is working correctly):
Header set X-Frame-Options SAMEORIGIN
My website is now secured from being iframed by any sites in the internet. However, I recently developed a mobile application that fetches pages under the about-us hosted in my website (my website contains www.mywebsite/about-us/author, www.mywebsite/about-us/company) to display the same details on the app. So what I did was I added the lines on my .htaccess file:
SetEnvIf REQUEST_URI ^about-us/$ aboutus_page
Header set X-Frame-Options SAMEORIGIN env=!aboutus_page
I want the rest of my pages to be free from being iframed except all pages under mywebsite/about-us/ "any page"
Upvotes: 9
Views: 2902
Answers (2)
Reputation: 3027
At least in Apache 2.4 %{REQUEST_URI} won't work for the usual SPA kind of URI. Use %{THE_REQUEST} instead. Then SetEnvIf is not as flexible so I recommend to use simply the // sections. Just tested the below and works:
<If "! %{THE_REQUEST} =~ /.*about-us.*/">
Header set X-Frame-Options SAMEORIGIN
</If>
Upvotes: 2
Reputation: 496
you can make a second htaccess file in folder "aboutus" where you allow xframe. so it will override the outer htaccess file. if you just want to allow xframes in company and auther you can put htaccess files there too.
Upvotes: 0
Related Questions
- X-Frame-Options on Apache
- How to add "X-Frame-Options" header in .htaccess file to protect against 'ClickJacking' attacks
- How to set X-Frame-Options?
- Adding multiple domain/URL in Header set X-Frame-Options "ALLOW-FROM "
- Respect X-Frame-Options with HTTP redirect
- Click Jacking Vulnerability
- Clickjacking protection using 'X-Frame-Options'?
- X-Frame-Options with intranet site
- Add X-Frame-Options for all urls on a web-site except a list of enabled
- Setting links to NOT open in iFrames...?