Prevents sites from being displayed inside an iframe.

The "X-Frame-Options" HTTP response header is used to block the page from being loaded inside of an iframe. A server can use this to protect against certain attacks and to prevent their content from being embedded in other websites. Omitting the header allows the page to be embedded.

If you want to limit this, include this header. There are only two valid values for this header:

  • SAMEORIGIN: This page can be loaded inside an iframe, but only inside a page on the same origin.
  • DENY: Prevent the page from being loaded inside iframes.

If a third-party website is allowed to load a page inside of an iframe, it could allow them to perform a click-jacking attack. In this case, the third-party website could place a button on top of the iframe to trick the user into clicking the button. When the user does this, the click will go through the button onto the original page and potentially take an unwanted action.

If you use Apache, add this line to your httpd.conf file to enable this header: Header always set X-Frame-Options "SAMEORIGIN"

If you use Nginx, add this line to your nginx.conf file to enable this header: add_header X-Frame-Options "SAMEORIGIN" always;

We have a detailed article about additional security headers if you want to learn more about this topic and fully protect your users.

Ready to validate your website to check for this header and 100+ others important tests?