← Back to Security Headers

X-Frame-Options

Prevents clickjacking attacks by controlling whether your site can be embedded in frames.

X-Frame-Options

Purpose

Protects users from clickjacking attacks where malicious sites embed your content in invisible frames.

Implementation

Set one of three values:

```
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM uri
```

Examples

DENY
SAMEORIGIN
ALLOW-FROM https://example.com

Best Practices

✓Use DENY for maximum security
✓Use SAMEORIGIN if you need same-origin framing
✓Consider CSP frame-ancestors directive (modern alternative)

Common Mistakes

✗Not setting the header at all
✗Using ALLOW-FROM (deprecated)
✗Conflicting with CSP frame-ancestors

Related Headers

Content-Security-Policy

References

MDN Web Docs →

Test Your Configuration

Run a free security scan to check if X-Frame-Options is properly configured on your site.