Skip to main content

Security Headers

X-Frame-Options: Preventing Clickjacking

Stop other sites from embedding yours in a hidden frame.

Quick answer

X-Frame-Options tells browsers whether your pages may be embedded in a frame or iframe. Setting it to SAMEORIGIN prevents clickjacking, where an attacker overlays your site invisibly to trick users into clicking.

Clickjacking loads your real site inside an invisible frame on an attacker's page so users unknowingly click your buttons. X-Frame-Options (and its modern replacement, the CSP frame-ancestors directive) blocks unauthorised framing.

Check your website

See how your site handles x-frame-options: preventing clickjacking — free, no account needed.

For business owners

Clickjacking can trick a logged-in user into changing settings, making a purchase or approving an action without realising it. Blocking framing is a one-line configuration that removes this risk and is checked by virtually every security scanner. There is almost no downside for typical sites.

How it works (technical)

X-Frame-Options accepts DENY (never allow framing) or SAMEORIGIN (only your own site may frame the page). The modern equivalent is the CSP directive frame-ancestors 'self', which is more flexible and supersedes X-Frame-Options in browsers that support it.

Set both for maximum coverage: frame-ancestors for modern browsers and X-Frame-Options for legacy clients.

Real-world example

A dashboard let users delete their account with one click. An attacker embedded it in a transparent iframe over a fake "Win a prize" button. Users clicking the prize actually clicked "delete". Adding X-Frame-Options: SAMEORIGIN made the browser refuse to render the framed page, killing the attack.

Why it matters

Framing-based attacks are easy to launch and hard for users to notice. This header is a trivial, high-value fix that scanners flag whenever it is missing.

How to fix it

  1. Add X-Frame-Options: SAMEORIGIN to all responses (or DENY if you never frame your own pages).

  2. Also add the CSP directive frame-ancestors 'self' for modern browsers.

  3. If partners legitimately embed your pages, list their origins in frame-ancestors instead of allowing all.

  4. Re-scan to confirm the header is present site-wide.

Best practices

  • Prefer frame-ancestors in CSP and keep X-Frame-Options for legacy support.

  • Use SAMEORIGIN unless you have a specific need to allow external framing.

  • Never use the long-deprecated ALLOW-FROM value; use frame-ancestors instead.

Common mistakes

  • Leaving the header off entirely, allowing any site to frame yours.

  • Using ALLOW-FROM, which most browsers ignore.

  • Setting it on some pages but not the sensitive ones.

Frequently asked questions

DENY or SAMEORIGIN?

Use SAMEORIGIN if your own site ever frames its pages; use DENY if it never does. Both stop external clickjacking.

Is X-Frame-Options obsolete?

It is superseded by CSP frame-ancestors but still useful for older browsers, so set both.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account