Use one or the other to prevent other sites from iframing your site in order to prevent clickjacking. Deny means nobody can iframe your site, Sameorigin means you can iframe a page or content of yours elsewhere on your site. Place the code in your cPanel/public_html/.htaccess file or equivalent.
This is not for hotlinking, it is to prevent clickjacking. These types of headers are part of what they call Content Security Policy. It is a complex way of denying man in the middle attacks, page reload attacks, breaches and exploits. To write a Content Security Policy is a very effective way of securing traffic in and out of any server. But it can be very challenging to understand and code. I am currently working on a tutorial which i will post here within a week.
In a nutshell, if somebody wanted to steal your E-commerce shopping carts info or website login info they would copy your shopping cart or login page and host it somewhere in a dark corner of the internet. Now skipping some details which i obviously am not going to tell you, they iframe your site on top of the fake pages under their control. So when a person inputs credit card info or logins, it is actually being typed into the fake site and the hacker receives the credit card or login info.
Be safe out there!
Code:
Header always set X-Frame-Options "DENY"
Header always set X-Frame-Options "SAMEORIGIN"This is not for hotlinking, it is to prevent clickjacking. These types of headers are part of what they call Content Security Policy. It is a complex way of denying man in the middle attacks, page reload attacks, breaches and exploits. To write a Content Security Policy is a very effective way of securing traffic in and out of any server. But it can be very challenging to understand and code. I am currently working on a tutorial which i will post here within a week.
In a nutshell, if somebody wanted to steal your E-commerce shopping carts info or website login info they would copy your shopping cart or login page and host it somewhere in a dark corner of the internet. Now skipping some details which i obviously am not going to tell you, they iframe your site on top of the fake pages under their control. So when a person inputs credit card info or logins, it is actually being typed into the fake site and the hacker receives the credit card or login info.
Be safe out there!
Last edited:
