Skip to main content

Fix Guides

How to Fix Missing X-Frame-Options

Stop your pages being embedded in malicious frames (clickjacking).

Quick fix

To fix missing X-Frame-Options, add the response header X-Frame-Options: SAMEORIGIN (and ideally a CSP frame-ancestors 'self' directive). This stops other sites embedding your pages in frames, preventing clickjacking. Re-scan to confirm.

Without X-Frame-Options (or a CSP frame-ancestors directive), an attacker can load your site inside an invisible frame on their own page and trick users into clicking things they cannot see — clickjacking. Adding one header closes this off. This guide covers every major platform.

Check your website

See how your site handles how to fix missing x-frame-options — free, no account needed.

Business impact

Clickjacking can trick your logged-in users into performing actions they never intended — changing settings, making purchases or approving requests. Preventing it protects users and your reputation, and it is one of the quickest security wins available: a single header applied site-wide.

Why this happens

The header is missing simply because it is not set by default. The modern equivalent is the CSP frame-ancestors directive, which supersedes X-Frame-Options; setting both gives the broadest browser coverage. Causes are almost always "never configured" or "set on some responses but not all".

How to confirm the issue

Manually: in DevTools → Network, check the document response for x-frame-options. Or run curl -I https://yoursite.com.

With Plexa Trust: run a scan and look for "Missing X-Frame-Options"; re-scan after the fix to confirm it clears.

Step-by-step fix

  1. Add X-Frame-Options: SAMEORIGIN to all responses.

  2. Also add a CSP directive frame-ancestors 'self' for modern browsers.

  3. If you must allow specific partners to embed you, use CSP frame-ancestors with their origins instead of X-Frame-Options.

  4. Deploy and re-scan to confirm.

Platform-specific fixes

Cloudflare

  1. Rules → Transform Rules → Modify Response Header.

  2. Add header X-Frame-Options with value SAMEORIGIN. Save.

Apache

In virtual host or .htaccess:

  1. Header always set X-Frame-Options "SAMEORIGIN"

  2. Reload Apache.

Nginx

In the server block:

  1. add_header X-Frame-Options "SAMEORIGIN" always;

  2. Run nginx -t and reload.

WordPress

  1. Enable the X-Frame-Options option in a security-headers plugin, or

  2. Add the header via your server configuration.

How to verify the fix

  • Prefer SAMEORIGIN unless you have a specific reason to allow framing.

  • Set CSP frame-ancestors as the modern, more flexible control.

  • Re-scan and confirm "Missing X-Frame-Options" is cleared.

Common mistakes

  • Using the removed ALLOW-FROM value (use CSP frame-ancestors instead).

  • Applying it to only some pages.

  • Forgetting that CSP frame-ancestors overrides X-Frame-Options where both apply.

Frequently asked questions

What is clickjacking?

An attack that loads your site in a hidden frame over decoy content, tricking users into clicking real buttons on your site without realising.

SAMEORIGIN or DENY?

SAMEORIGIN lets your own site frame its pages while blocking others. Use DENY only if you never frame your own pages.

Is X-Frame-Options deprecated?

It is still widely supported, but CSP frame-ancestors is the modern replacement. Setting both maximises coverage.

How do I allow a specific partner to embed my page?

Use CSP frame-ancestors with their origin, e.g. frame-ancestors 'self' https://partner.com. The old ALLOW-FROM value is no longer supported.

Will this break legitimate embeds?

Only if you intentionally embed your pages elsewhere. In that case, allowlist those origins via frame-ancestors.

Where should I set it?

Site-wide at your server or CDN so every page is protected, not just the homepage.

Does it affect SEO?

No. It is a security header with no negative SEO impact.

How do I confirm it worked?

Re-scan with Plexa Trust and check the header via curl or DevTools; the finding should clear.

Think you've fixed it?

Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.

Verify with a free scan

Upgrade to Pro for monitoring