How can I prevent Clickjacking attack on my Prestashop website?

Question

I added the

<meta http-equiv="X-Frame-Options" content="deny">

in header.tpl file ,but it not working and throws an error.

X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside .

And I also added the

Header always append X-Frame-Options SAMEORIGIN

line in .htaccess file. But this is also not working.

Then how can I prevent Clickjacking on my Website?

For references : Clickjacking Defense Cheat Sheet | OWASP and X-Frame-Options - HTTP

Why do you think the response header is not working? Does the server send it? That's the right solution. — Gabor Lengyel, Feb 12 '20 at 11:27
Okay. But in cPanel how can I add the header in httpd.conf ? — Kumar R, Feb 12 '20 at 12:35

score 0 · Answer 1 · answered Jan 05 '22 at 10:17

I suggest you to edit the .htaccess in your PrestaShop root folder installation and, just before the lines identified by "# ~~start~~ Do not remove..." add the following block:

# Extra Security Headers
<IfModule mod_headers.c>
   Header set Content-Security-Policy "default-src 'unsafe-inline' 'unsafe-eval' 'self' *.googleapis.com *.gstatic.com;"
   Header set X-XSS-Protection "1; mode=block"
   Header always append X-Frame-Options SAMEORIGIN
   Header set X-Content-Type-Options nosniff
   Header set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
</IfModule>

This will provide protection against: clickjacking - content sniffing - XSS attacks

How can I prevent Clickjacking attack on my Prestashop website?

1 Answers1