What is X-Frame-Options?
Your site can be embedded into someone else's page using an
<iframe> element. Attackers exploit this to carry out
clickjacking attacks. Here's how it works: your site is loaded in an
invisible iframe, and a fake interface is layered on top of it.
The user doesn't see your site — they see the overlaid interface,
which is designed to trick them into clicking the buttons the attackers
need, potentially changing account settings, making a purchase,
or confirming a dangerous action.
To prevent this kind of attack, the X-Frame-Options header is used. It tells the browser whether your page is allowed to be displayed inside an iframe. You can block embedding entirely or allow it only for your own domain. If someone tries to load your site in an iframe on their page — the browser will refuse and block the loading.
It's a simple but effective protection. One line in your server configuration — and clickjacking attacks through iframes on your site become impossible.
How to enable X-Frame-Options?
To prevent your site from being embedded in an iframe on other pages, add the following header to your web server configuration. Choose the example below depending on which server you use.
Nginx
add_header X-Frame-Options "DENY" always;Apache
Header set X-Frame-Options "DENY"Available values
- DENY (recommended) — the page cannot be displayed in an iframe under any circumstances. Complete blocking of page embedding in an iframe.
- SAMEORIGIN — the page can only be embedded in an iframe on pages from your own domain. Use this if you genuinely need to load your pages in frames within your own site.
Use DENY unless you have a specific reason for SAMEORIGIN — if you don't embed your own pages in frames within your site, always choose DENY. It's more secure and simpler.
Setting up X-Frame-Options is one of the fastest ways to protect your site from clickjacking. One line of configuration, and attackers won't be able to embed your site in an iframe on their pages.