22

Recently my complete site is called in iframe by two other domains. I would like to block other sites, who are trying to show my site in iframe.

How can i block that through .htaccess?

Victor Häggqvist
  • 4,484
  • 3
  • 27
  • 35
user737665
  • 231
  • 1
  • 2
  • 3

5 Answers5

68

You can set the variable in the header X-Frame-Options: Deny.

All modern browsers support the X-Frame-Options header.

The Facebook uses this header to disable iframe/framesets (also Javascript).

If you have enabled the mod_headers in apache:

.htaccess

Header set X-Frame-Options DENY

But, you can enable iframes come from the same origin.

Header always append X-Frame-Options SAMEORIGIN

Or in Nginx:

add_header X-Frame-Options Deny; #or SAMEORIGIN

Browser compatibility: Source

  • Internet Explorer: 8.0
  • Firefox (Gecko): 3.6.9 (1.9.2.9)
  • Opera: 10.50
  • Safari: 4.0
  • Chrome: 4.1.249.1042
Dg Jacquard
  • 1,090
  • 10
  • 10
  • 1
    i think, that this is the best way to do so. another appropriate way would be using php: header("X-Frame-Options: SAMEORIGIN")... js or referrers are pointless – emfi Jan 15 '14 at 14:46
  • 1
    Note : The Header directive is in the mod_headers apache module. You need to make sure that module is loaded into the apache server. https://stackoverflow.com/a/19510208/2042775 – sj59 Aug 03 '17 at 09:57
3

I don't think you can through .htaccess, you can use JS however. You can use a function like this one to check:

function parentIsSameOrigin()
{
    var result = true;
    if (window.parent)
    {
        result = Boolean
        (
            // more precise modifications needed here
            window.this.location.href.indexOf(window.parent.location.href) == 0
        );
    }
    return result;
}
udjamaflip
  • 682
  • 1
  • 8
  • 24
  • 1
    Mmm...but what if JavaScript is disabled on the client's browser? – Chris Forrence Dec 17 '12 at 13:34
  • There is no other way, if this is a legitimate concern I would load the contents of the Iframe using JS to ensure nothing displays unless the function validates. – udjamaflip Dec 17 '12 at 22:31
  • You can always put display:none with css and remove it with javascript. It forces not to display content if user has disabled javascript (which is unacceptable for modern standards). – dtakis Apr 14 '15 at 23:58
2

You can't "enforce" it per-say since there are ways around, but you can use the standard header method. html5-boilerplate has a nice vhost/htaccess snippet that first sets X-Frame-Options as your choice of DENY/SAMEORIGIN/ALLOW-FROM, and then allows whitelist MIME types for use in good frames such as Google image search.

Check the link for latest, but here is the example from Jan 25 2016 in SAMEORIGIN mode:

<IfModule mod_headers.c>

     Header set X-Frame-Options "SAMEORIGIN"

     <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|webmanifest|woff2?|xloc|xml|xpi)$">
         Header unset X-Frame-Options
     </FilesMatch>

</IfModule>
dhaupin
  • 1,613
  • 2
  • 21
  • 24
-1

you can use .htaccess as the following

RewriteEngine On

RewriteCond %{QUERY_STRING} !^id=[^&]+ [NC]
# if referrer is bad.com
RewriteCond %{HTTP_REFERER} (www\.)?bad\.com [NC]
# then redirect to a different page
RewriteRule !^404.shtm [L,NC,R=302]

You will need to rely on HTTP_REFERER for this this code will redirect any requests from the bad.com to the not found page

this solution contributed to this answer

https://stackoverflow.com/a/19773719/1641233

Community
  • 1
  • 1
Abdalla Mohamed Aly Ibrahim
  • 3,743
  • 1
  • 26
  • 29
-4

Umm, I don't think you can.

An iframe is a client side container, which means that the end users browser is responsible for loading the content within the iframe. You wouldn't be able to tell the difference between whether your page was loaded in an iframe or not.

Jaimal Chohan
  • 8,530
  • 6
  • 43
  • 64