X-Frame-Options Header Not Set: How do I set it?

Question

I am using Apache server for Wamp application. While doing security testing, I got these error reports which says:

X-Frame-Options Header Not Set. For this I know that there are 3 types of X-Frame Options. But where do I implement the SAMEORIGIN option and how?
X-Content-Type-Options Header Missing.

What do I need to do to solve these? Thank you.

You can set these in your Apache config files. One note of warning: If you use e.g. Adsense ads doing as suggested by security advidories will break your ads completely. — Alexander Dobernig, Feb 02 '21 at 05:27
@AlexanderDobernig Sorry I'm new to this, would you mind explaining what is Adsense ads? By the way, do I set it in any lines of my Apache config files? — Nicole, Feb 02 '21 at 06:23
Adsense is a platform for serving ads from Google to monetize your website. Be very careful with Apache configuration options like this because they can break everything! I did this once and returned little later to the original state as I had a lot of problems. — Alexander Dobernig, Feb 02 '21 at 06:30
Wow, thanks for the advice! I'll be sure to take note of it. :) — Nicole, Feb 02 '21 at 06:33
Please also see: https://stackoverflow.com/questions/17092154/x-frame-options-on-apache — Alexander Dobernig, Feb 02 '21 at 06:35
Note: If you have this WAMP server in your local network or at localhost and it will not be reachable from the Internet, forget the security warnings. If it is a public server on the Internet, there are far more dangers than that. — Alexander Dobernig, Feb 02 '21 at 06:41

Example person · Accepted Answer · 2021-02-02T06:43:28.193

1

Set the following headers:

X-Frame-Options: SAMEORIGIN
X-Content-Type-options: nosniff

Since you are using Apache, add the following to the apache config:

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options nosniff

The above won't do anything for a local test server. But, you should always set them in public production servers.

Remember: Even though it doesn't do anything for local servers, you could develop your website with this environment, so that it doesn't suffer when you release it on production.

edited Feb 02 '21 at 06:43

answered Feb 02 '21 at 06:38

Example person

3,198
3
18
45

Do I add these to any line of my apache config? – Nicole Feb 02 '21 at 07:34
@Nicole yes. make sure mod_headers is enabled – Example person Feb 02 '21 at 08:17
Sorry, how do I know if mod_headers is enabled? – Nicole Feb 02 '21 at 08:36
@Nicole In your httpd.conf, you should remove the `#` from the line saying: `#LoadModule headers_module ....` And restart apache] – Example person Feb 02 '21 at 08:39
@Nicole let me know if that is enough. – Example person Feb 02 '21 at 08:39
Hi, it managed to work. Thank you very much. Really appreciate your help. – Nicole Feb 02 '21 at 14:32

Azzam Daaboul · Answer 2 · 2022-06-27T13:37:13.960

-1

Since you are using Apache, add the following to the apache config:

Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options nosniff

Works perfect!

edited Jun 27 '22 at 13:37

answered Jun 27 '22 at 13:36

Azzam Daaboul

1
1

X-Frame-Options Header Not Set: How do I set it?

2 Answers2