Prevents sites from being displayed inside an iframe.

This HTTP response header is used to permit or block the page from being loaded inside of an iframe. A server can use this to protect against certain attacks and to prevent their content from being embedded in other websites. Omitting the header allows the page to be embedded in iframes. If you want to limit this, include this header. There are only two valid values for this header:

  • SAMEORIGIN: This page can be loaded inside an iframe, but only inside a page on the same origin.
  • DENY: Prevent the page from being loaded inside iframes.

We have a detailed article about additional security headers if you want to fully protect your users. For more information, please read the documentation on MDN Web Docs.