If you, like me, got too big for your boots and tried to lock down your server using ‘best practice’ pre-rolled apache server config settings without fully understanding how they work – then good on us both for trying, but let’s never do it again.
Specifically, I tried to lock-down click-jacking like this in my httpd.conf:
# The example below sends the `X-Frame-Options` response header with # the value `DENY`, informing browsers not to display the content of # the web page in any frame. # # This might not be the best setting for everyone. You should read # about the other two possible values the `X-Frame-Options` header # field can have: `SAMEORIGIN` and `ALLOW-FROM`. # https://tools.ietf.org/html/rfc7034#section-2.1. # # Keep in mind that while you could send the `X-Frame-Options` header # for all of your website’s pages, this has the potential downside that # it forbids even non-malicious framing of your content (e.g.: when # users visit your website using a Google Image Search results page). # # Nonetheless, you should ensure that you send the `X-Frame-Options` # header for all pages that allow a user to make a state changing # operation (e.g: pages that contain one-click purchase links, checkout # or bank-transfer confirmation pages, pages that make permanent # configuration changes, etc.). # # Sending the `X-Frame-Options` header can also protect your website # against more than just clickjacking attacks: # https://cure53.de/xfo-clickjacking.pdf. # # https://tools.ietf.org/html/rfc7034 # http://blogs.msdn.com/b/ieinternals/archive/2010/03/30/combating-clickjacking-with-x-frame-options.aspx # https://www.owasp.org/index.php/Clickjacking # <IfModule mod_headers.c> Header set X-Frame-Options "DENY" # `mod_headers` cannot match based on the content-type, however, # the `X-Frame-Options` response header should be send only for # HTML documents and not for the other resources. <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|mp3|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$"> Header unset X-Frame-Options </FilesMatch> </IfModule>
There’s lots to read about click-jacking, but what was most important to me was that it pretty much knackered my WordPress install to the point where I could only update a single plugin at a time, and after every plugin updated I had to delete the “.maintenance” file to get the site back running. That and WordPress and theme updates would complete, but never TELL me they’d completed, so I’d just have to wait a while then go back to the admin page and hope for the best.
Anyway – if you have this issue, and have used X-Frame twiddling stuff in your apache config, the short answer is: Don’t.