[HELP] Implement "X-Frame-Options: DENY" to prevent Clickjacking / increase website security

bmormina · December 12, 2023, 3:59pm

Question:
How do I implement the code “X-Frame-Options “DENY”” to prevent Clickjacking attacks.

Product:
Wix Editor

What are you trying to achieve:
As stated above, I need to implement the code X-Frame-Options: DENY to prevent Clickjacking. It is a security measure strongly recommended by a third-party web-security auditor (users upload personal details via our website and we need to ensure their info is protected).

What have you already tried:
I have already tried to paste “X-Frame-Options: DENY” and " Header set X-Frame-Options “DENY”" in Settings > Advanced > Custom Code (settings: Header, All pages. Code type: Essential).

It was not successful.

Additional information:
Can someone offer/link to a step-by-step tutorial on how to implement this security measure on my WIX website?

Thank you

thomasj · December 12, 2023, 7:02pm

You cannot modify the http response headers returned when accessing a page built on Wix or Wix Studio.

In order to handle incoming requests to your site’s pages you should use the Wix Router API. The following API will give you the ability to change the HTTP Responses when accessing pages, however the response headers are not configurable.

bmormina · December 12, 2023, 7:26pm

Hi Thomasj,

Thank you for your response!

I will look into Wix Router API, but just to be sure I understand your message can you clarify: will I be able to successfully input X-Frame-Options: DENY using this method?

I only ask because you say, “however the response headers are not configurable.”

As a laymen, I learned from some research that X-Frame-Options: DENY needs to be in the header… let me know.

thomasj · December 12, 2023, 7:30pm

Correct, you cannot modify http response headers (including the X-Frame-Option property) via the Velo API.

bmormina · December 12, 2023, 7:54pm

So, in short, protecting user-info from clickjacking is not possible on WIX?

bmormina · December 13, 2023, 4:19pm

Update!

I wanted to update my post in case there is someone else out there who needs to ensure their website visitors are protected from clickjacking.

Thanks to the WIX Dev Team on Discord I was able to implement a great-work around.

“What this code will do is check if the page is the top-level window. If not, you can break out of the iframe and redirect to your site’s URL”

In Settings > Advanced > Custom Code input:

<script>
if (window !== window.top)

{ window.top.location.href = window.location.href; }
</script>

Add Code to Pages: Load code on each new page (or specify specific pages.)
Place Code in: Header (important)
Code Type: Essential

The WIX Dev Team are awesome and were a huge help!

James_Horpes · March 14, 2024, 4:05pm

Thanks for this. I just wanted to confirm that the above insertion of the code in custom settings worked and protected your site? I too was looking for this solution

bmormina · March 14, 2024, 5:10pm

Hi James, To my knowledge it is working. My IT department did some tests and confirmed this solution worked for us.

James_Horpes · March 15, 2024, 6:25am

Great, thank you so much