Send X-Frame-Options header only for web pages

alrra · alrra · commit bf163ca6204b · 2013-11-05T00:41:09.000+02:00
Sending the `X-Frame-Options` header for everything by default, doesn't bring any value when it comes to providing clickjacking protection. Even if some developers may want to send this header for some other content (e.g. images) to block websites from using it, for the majority, that won't be the case. Ref: #8 #9
diff --git a/.htaccess b/.htaccess
@@ -258,15 +258,23 @@ AddDefaultCharset utf-8
 
 # Protect web site against clickjacking.
 
-# Options available:
-# SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.
-# DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so.
-# ALLOW-FROM uri This setting will allow page to be displayed only on the specified origin.
+# The example below sends the `X-Frame-Options` response header with the value
+# `SAMEORIGIN`, informing browsers not to display the web page content in any
+# frame from a page of different origin than the content itself.
 
-# More info: https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
+# This might not be the best setting for everyone. You should read about the
+# other two possible values for `X-Frame-Options`: `DENY` and `ALLOW-FROM`.
+# http://tools.ietf.org/html/rfc7034#section-2.1.
+
+# http://tools.ietf.org/html/rfc7034
+# http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
+# https://www.owasp.org/index.php/Clickjacking
 
 # <IfModule mod_headers.c>
 #     Header set X-Frame-Options "SAMEORIGIN"
+#     <FilesMatch "\.(appcache|crx|css|cur|eot|gif|htc|ico|jpe?g|js|m4a|m4v|manifest|mp4|oex|oga|ogg|ogv|otf|pdf|png|safariextz|svgz?|ttf|vcf|webapp|webm|webp|woff|xml|xpi)$">
+#        Header unset X-Frame-Options
+#     </FilesMatch>
 # </IfModule>
 
 # ------------------------------------------------------------------------------
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,6 @@
 ### HEAD
 
+* Add example on how to provide clickjacking protection ([#8](https://github.com/h5bp/server-configs-apache/issues/8)).
 * Add example on how to reduce MIME type security risks ([#8](https://github.com/h5bp/server-configs-apache/issues/8)).
 * Add configs for cursor images (`.cur`).
 * Fix backup and source file blocking for Apache v2.3+ ([#5](https://github.com/h5bp/server-configs-apache/issues/5)).
