Use DENY as the default value for X-Frame-Options

The role of the security related examples is to provide the most secure way of doing things. In the case of `X-Frame-Options`, it turns out that invisible site-wide XSS attacks might bypass the header if it's send with the more tolerant value of `SAMEORIGIN`. Ref: https://cure53.de/xfo-clickjacking.pdf
h5bp · Nov 12, 2013 · e6b77c6 · e6b77c6
1 parent 735c8f4
commit e6b77c6
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 9 deletions.
diff --git a/.htaccess b/.htaccess
@@ -259,15 +259,14 @@ AddDefaultCharset utf-8
 # Protect web site against clickjacking.
 
 # The example below sends the `X-Frame-Options` response header with the value
-# `SAMEORIGIN`, informing browsers not to display the web page content in any
-# frame from a page of different origin than the content itself.
+# `DENY`, informing browsers not to display the web page content in any frame.
 
 # This might not be the best setting for everyone. You should read about the
-# other two possible values for `X-Frame-Options`: `DENY` and `ALLOW-FROM`.
+# other two possible values for `X-Frame-Options`: `SAMEORIGIN` and `ALLOW-FROM`
 # http://tools.ietf.org/html/rfc7034#section-2.1.
 
-# Also, keep in mind that while you could send the `X-Frame-Options` header for
-# all of your site’s pages, this has the potential downside that it forbids even
+# Keep in mind that while you could send the `X-Frame-Options` header for all
+# of your site’s pages, this has the potential downside that it forbids even
 # non-malicious framing of your content (e.g.: when users visit your site using
 # a Google Image Search results page).
 
@@ -276,6 +275,9 @@ AddDefaultCharset utf-8
 # that contain one-click purchase links, checkout or bank-transfer confirmation
 # pages, pages that make permanent configuration changes, etc.).
 
+# Sending the `X-Frame-Options` header can also protect your web site against
+# more than just clickjacking attacks: https://cure53.de/xfo-clickjacking.pdf.
+
 # http://tools.ietf.org/html/rfc7034
 # http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx
 # https://www.owasp.org/index.php/Clickjacking

diff --git a/README.md b/README.md
@@ -9,17 +9,19 @@ accessible, if needed, even cross-domain.
 
 If you have access to the [main server configuration
 file](http://httpd.apache.org/docs/current/configuring.html#main)
-(usually called `httpd.conf`), you should add the logic from the `.htaccess`
+(usually called `httpd.conf`), you should add the logic from the
+[`.htaccess`](https://github.com/h5bp/server-configs-apache/tree/master/.htaccess)
 file in, for example, a
 [`<Directory>`](http://httpd.apache.org/docs/current/mod/core.html#directory)
 section in the main configuration file. This is usually the recommended way, as
 using `.htaccess` files [slows
 down](http://httpd.apache.org/docs/current/howto/htaccess.html#when) Apache!
 
-If you don't have access, which is quite common with hosting services, just put
-the `.htaccess` file in the root of the website.
+If you don't have access, which is quite common with hosting services, just copy
+the [`.htaccess`](https://github.com/h5bp/server-configs-apache/tree/master/.htaccess)
+file in the root of the website.
 
-Also note that, some configurations won't have any effect if the appropriate
+Also note that some configurations won't have any effect if the appropriate
 modules aren't enabled. So, in order for everything to work as intended, you
 need to ensure the you have the following Apache modules
 [enabled](https://github.com/h5bp/server-configs-apache/wiki/How-to-enable-Apache-modules):