Htaccess code for secure cross site iframe

Hi all,

I have some customers who use an iframe to pull one of our sites into theirs.
In it’s most simple setup, it works just fine.
However, cross-site scripting, click-jacking, etc are a security issue.

So, what I need is to get the servers to deny iframes with the exceptions of particular sites/URLs.
(Allow Site-B to pull Site-A into the Site-B iframe)
Our setup is a Linux server running Apache.
I have a php site. (Site-A)

I’ve been reading up on CORS, x-frame-options, XMLHttpRequest, access-control, etc.
I’m testing this on 2 separate sites (Site-A, Site-B) on 2 separate servers (Lixus/Apache, unknown).

I’m no good at htaccess and do not understand apache.
I cannot get anything to work.
I always end up with 500 Server Errors.

I’ve seen so many different methods for this, that I’m overwhelmed.
I’ve asked several people, both front end developers and server people to no avail.

Does anyone know how to make this work???


I’ve had a situation like this for many years but I’ve never used mod_rewrite for this. Instead, I include code in PHP scripts to check the referrer and require specific IP address (else terminate the script).

IMHO, this is a PHP issue so that board would be of far greater help (unless you want to PM me directly for an example of the code I use).



I’ve moved this to the PHP category.

DK and the Bear, thanks for responding, I do appreciate the feedback.

Right now, I’m making use of the htaccess file to server up HTTP headers and create a whitelist of URLs that ovverride x-frame-options in apache.

I understand that there are various methods that can be used here, htaccess are my preferred options after a lot of reading.

I wasn’t really quite sure where to put this, but I don’t feel that being moved to the PHP boards serves me well at all.


I’ve made progress on the htaccess solution.
I wasn’t not seeing the full picture.
I need one server with the apache/htaccess code/config, not both.

I have it working under the SAMEORIGIN config, but not outside of that.
my htaccess includes ALLOW-FROM uri, but it is not overriding the apache config of SAMEORIGIN.

the server people (an outside company) says they have turned on the overrides for me.
Sadly, I’m dealing with people who know Linux quite well, but when it comes to Apache, they are not very knowledgable at all. I’m not either. I’m not sure what they need to do to get it working.

Any feedback is greatly appreciated.

My apologies - I’ll return it to Server Config.

Thanks Bear,
No biggie, I do appreciate your efforts!!!

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.