HTTP Security Header
X-Frame-Options
Protects visitors against clickjacking attacks by indicating whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>.
Configuration Snapshot
- Header Name
- X-Frame-Options
- Primary Mitigation
- Clickjacking (UI Redressing)
Example Configuration
X-Frame-Options: DENY
Implementation Best Practices
- Use DENY if you never intend for the page to be framed
- Use SAMEORIGIN if you only frame pages from your own site
- Modern applications should migrate to CSP frame-ancestors directive
Audit Your Configuration
Properly implementing X-Frame-Options is critical for achieving a robust security posture. A misconfigured header can leave your application exposed to client-side attacks or accidentally block legitimate functionality. Use our Security Headers auditing tool to evaluate your live production setup.
Scan Your Website