Prevent Clickjacking

[kkumarr]

I added the 

<meta http-equiv="X-Frame-Options" content="deny">

in header.tpl file ,but it not working and throws the error.

Quote

X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside <meta>.

And I also added the 

Header always append X-Frame-Options SAMEORIGIN

line in .htaccess file. But this is also not working.

Then how can I prevent Clickjacking on my Website?

 

[Kurt07]

X Frame Options are deprecated, add the following to the top of your .htaccess file: Header set Content-Security-Policy "frame-ancestors none;"

This will prevent clickjacking. 😉

P.S. You cannot use <meta> for this purpose.

If you do want to use X Frame Options, then just put this into the top of your .htaccess file: Header set X-Frame-Options "DENY"

You are welcome to put both in if it makes you feel more comfortable & secure.

Edited April 28, 2020 by Kurt07 (see edit history)

[skeccy]

Hi @Kurt07 I am not a programming expert but I added your code like this, is that correct or am I wrong?:

# ~~start~~ Do not remove this comment, Prestashop will keep automatically the code outside this comment when .htaccess will be generated again
# .htaccess automaticaly generated by PrestaShop e-commerce open-source solution
# http://www.prestashop.com - http://www.prestashop.com/forums

Header set Content-Security-Policy "frame-ancestors none;
Header set X-Frame-Options "DENY"
Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com;"
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security: max-age=63072000;
 
<IfModule mod_rewrite.c>
<IfModule mod_env.c>
SetEnv HTTP_MOD_REWRITE On
</IfModule>

RewriteEngine on
RewriteCond %{HTTP:Authorization} ^(.*)
RewriteRule . - [E=HTTP_AUTHORIZATION:%1]

but on security scan i have this results:

How can I solve the problem?

Prestashop 1.7.7.8

Thanks