X-Frame-Options tells browsers whether your pages may be embedded in a frame or iframe. Setting it to SAMEORIGIN prevents clickjacking, where an attacker overlays your site invisibly to trick users into clicking.
Clickjacking loads your real site inside an invisible frame on an attacker's page so users unknowingly click your buttons. X-Frame-Options (and its modern replacement, the CSP frame-ancestors directive) blocks unauthorised framing.
Check your website
See how your site handles x-frame-options: preventing clickjacking — free, no account needed.
For business owners
Clickjacking can trick a logged-in user into changing settings, making a purchase or approving an action without realising it. Blocking framing is a one-line configuration that removes this risk and is checked by virtually every security scanner. There is almost no downside for typical sites.
How it works (technical)
X-Frame-Options accepts DENY (never allow framing) or SAMEORIGIN (only your own site may frame the page). The modern equivalent is the CSP directive frame-ancestors 'self', which is more flexible and supersedes X-Frame-Options in browsers that support it.
Set both for maximum coverage: frame-ancestors for modern browsers and X-Frame-Options for legacy clients.
Real-world example
A dashboard let users delete their account with one click. An attacker embedded it in a transparent iframe over a fake "Win a prize" button. Users clicking the prize actually clicked "delete". Adding X-Frame-Options: SAMEORIGIN made the browser refuse to render the framed page, killing the attack.
Why it matters
Framing-based attacks are easy to launch and hard for users to notice. This header is a trivial, high-value fix that scanners flag whenever it is missing.
How to fix it
Add
X-Frame-Options: SAMEORIGINto all responses (orDENYif you never frame your own pages).Also add the CSP directive
frame-ancestors 'self'for modern browsers.If partners legitimately embed your pages, list their origins in
frame-ancestorsinstead of allowing all.Re-scan to confirm the header is present site-wide.
Best practices
Prefer
frame-ancestorsin CSP and keep X-Frame-Options for legacy support.Use SAMEORIGIN unless you have a specific need to allow external framing.
Never use the long-deprecated
ALLOW-FROMvalue; use frame-ancestors instead.
Common mistakes
Leaving the header off entirely, allowing any site to frame yours.
Using ALLOW-FROM, which most browsers ignore.
Setting it on some pages but not the sensitive ones.
Frequently asked questions
DENY or SAMEORIGIN?
Use SAMEORIGIN if your own site ever frames its pages; use DENY if it never does. Both stop external clickjacking.
Is X-Frame-Options obsolete?
It is superseded by CSP frame-ancestors but still useful for older browsers, so set both.
Put this into practice
See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.
Scan your website free