To fix missing X-Frame-Options, add the response header X-Frame-Options: SAMEORIGIN (and ideally a CSP frame-ancestors 'self' directive). This stops other sites embedding your pages in frames, preventing clickjacking. Re-scan to confirm.
Without X-Frame-Options (or a CSP frame-ancestors directive), an attacker can load your site inside an invisible frame on their own page and trick users into clicking things they cannot see — clickjacking. Adding one header closes this off. This guide covers every major platform.
Check your website
See how your site handles how to fix missing x-frame-options — free, no account needed.
Business impact
Clickjacking can trick your logged-in users into performing actions they never intended — changing settings, making purchases or approving requests. Preventing it protects users and your reputation, and it is one of the quickest security wins available: a single header applied site-wide.
Why this happens
The header is missing simply because it is not set by default. The modern equivalent is the CSP frame-ancestors directive, which supersedes X-Frame-Options; setting both gives the broadest browser coverage. Causes are almost always "never configured" or "set on some responses but not all".
How to confirm the issue
Manually: in DevTools → Network, check the document response for x-frame-options. Or run curl -I https://yoursite.com.
With Plexa Trust: run a scan and look for "Missing X-Frame-Options"; re-scan after the fix to confirm it clears.
Step-by-step fix
Add
X-Frame-Options: SAMEORIGINto all responses.Also add a CSP directive
frame-ancestors 'self'for modern browsers.If you must allow specific partners to embed you, use CSP frame-ancestors with their origins instead of X-Frame-Options.
Deploy and re-scan to confirm.
Platform-specific fixes
Cloudflare
Rules → Transform Rules → Modify Response Header.
Add header
X-Frame-Optionswith valueSAMEORIGIN. Save.
Apache
In virtual host or .htaccess:
Header always set X-Frame-Options "SAMEORIGIN"
Reload Apache.
Nginx
In the server block:
add_header X-Frame-Options "SAMEORIGIN" always;
Run
nginx -tand reload.
WordPress
Enable the X-Frame-Options option in a security-headers plugin, or
Add the header via your server configuration.
How to verify the fix
Prefer SAMEORIGIN unless you have a specific reason to allow framing.
Set CSP frame-ancestors as the modern, more flexible control.
Re-scan and confirm "Missing X-Frame-Options" is cleared.
Common mistakes
Using the removed
ALLOW-FROMvalue (use CSP frame-ancestors instead).Applying it to only some pages.
Forgetting that CSP frame-ancestors overrides X-Frame-Options where both apply.
Frequently asked questions
What is clickjacking?
An attack that loads your site in a hidden frame over decoy content, tricking users into clicking real buttons on your site without realising.
SAMEORIGIN or DENY?
SAMEORIGIN lets your own site frame its pages while blocking others. Use DENY only if you never frame your own pages.
Is X-Frame-Options deprecated?
It is still widely supported, but CSP frame-ancestors is the modern replacement. Setting both maximises coverage.
How do I allow a specific partner to embed my page?
Use CSP frame-ancestors with their origin, e.g. frame-ancestors 'self' https://partner.com. The old ALLOW-FROM value is no longer supported.
Will this break legitimate embeds?
Only if you intentionally embed your pages elsewhere. In that case, allowlist those origins via frame-ancestors.
Where should I set it?
Site-wide at your server or CDN so every page is protected, not just the homepage.
Does it affect SEO?
No. It is a security header with no negative SEO impact.
How do I confirm it worked?
Re-scan with Plexa Trust and check the header via curl or DevTools; the finding should clear.
Think you've fixed it?
Run a free scan to verify the issue is resolved. Upgrade to Pro on Plexa Trust for the full audit, monitoring alerts, and score history.
Verify with a free scan