# ClickJacking and SSL Protection in Apache
On the [Chromium blog](https://blog.chromium.org/) today, Google
[announced](https://blog.chromium.org/2010/01/security-in-depth-new-security-features.html)
a couple of new features to do with improving the safety of web browsing. I've
implemented them both for this website in Apache. The first one is named,
"Strict-Transport-Security," and is currently supported by both Google Chrome
and NoScript, with a native Firefox version under development. It allows you to
specify in your HTTPS response headers that the user agent should perform more
strict SSL checks on future requests, with a server configurable timeout. The
idea of this is that it will help to prevent MITM attacks where the user just clicks through the SSL warnings
whilst ignoring them. https://www.paypal.com/ already supports this feature.
I've currently implemented it with a 30 minute timeout, which I'll increase once
I've had it running for a while. I used mod_headers for Apache. Adding the
following simple configuration to the .htaccess file in the sites document root
was all that was required:
Header set Strict-Transport-Security "max-age=1800"
The second security feature described on the blog exists to defend against
[ClickJacking](https://www.wikipedia.org/wiki/Clickjacking). The idea behind
this is that you should be able to specify that certain web pages (all?) on your
site are not allowed to be opened inside an iFrame. Like
Strict-Transport-Security, this is done by sending a HTTP response header. This
is already supported by Google Chrome, Safari 4 and IE8\. It also seems to work
under Firefox here, but I'm not sure if that is provided by NoScript. Because I
don't use iFrames at all, I implemented it site wide on this website. I used
mod_headers again, and updated my .htaccess to contain the following:
Header set X-Frame-Options "deny"
The "Origin" header is also mentioned as a means to prevent CSRF attacks, but I wont implement that until the
format is finalised.