Home/ Glossary/ X-Frame-Options

X-Frame-Options (X-Frame-Options)

Security Glossary - Security Headers

Definition: X-Frame-Options is a security header that controls whether a browser should allow a page to be rendered inside a frame, iframe, or object element. Setting it to DENY prevents all framing, while SAMEORIGIN allows framing only by pages on the same origin. This header helps prevent clickjacking attacks.

Configuration Reference

ValueEffect
DENYPage cannot be displayed in any frame
SAMEORIGINPage can only be framed by pages on the same origin
ALLOW-FROM uriDeprecated - use CSP frame-ancestors instead

Why X-Frame-Options Is Important

Clickjacking attacks overlay a transparent iframe of your site on top of a malicious page. When users think they are clicking buttons on the visible page, they are actually clicking elements on your hidden site - potentially transferring money, changing account settings, or granting permissions.

X-Frame-Options is a simple, widely supported defense against this. Setting X-Frame-Options: DENY means your pages can never be embedded in frames on any site. SAMEORIGIN allows your own site to frame its own pages but blocks external sites.

While CSP's frame-ancestors directive is the modern replacement (and more flexible), X-Frame-Options should still be set for compatibility with older browsers that do not support CSP. Setting both provides defense in depth.

Checking Your Setup

A security audit checks for the X-Frame-Options header. Verify it is set to DENY or SAMEORIGIN. If your site needs to be embedded in specific third-party frames, use CSP frame-ancestors with the specific allowed origins instead.

See how your site handles X-Frame-Options

Run a Security Audit

Common Questions About X-Frame-Options

Should I use DENY or SAMEORIGIN?
Use DENY if your site never needs to be framed (most common). Use SAMEORIGIN if your own pages need to embed each other in iframes. If you need to allow specific external sites to frame your content, use CSP frame-ancestors instead.
Is X-Frame-Options still needed with CSP frame-ancestors?
Yes, for backward compatibility. Older browsers (especially IE11) support X-Frame-Options but not CSP frame-ancestors. Set both headers for full clickjacking protection.

See Also

Clickjacking Content Security Policy frame-ancestors CSP Directive Security Headers Overview X-Content-Type-Options
Disclaimer: DomainOptic provides automated informational scans only. Results do not constitute professional security advice, compliance certification, or a guarantee of security. Always verify findings independently.