X-Frame-OptionsX-Frame-Options is a security header that controls whether this page may be embedded inside another page's <iframe>, <frame>, or <object>. Its main purpose is clickjacking defense — stopping an attacker from overlaying your page as a transparent frame to hijack the user's clicks.
The widely supported values are DENY (block entirely) and SAMEORIGIN (allow only the same origin).
In clickjacking, an attacker places your site (say a transfer or settings page) as an invisible iframe over their own page and positions decoy UI on top, so while users think they click the decoy they actually press a button inside the frame. Blocking framing outright with X-Frame-Options makes the attack impossible.
Every page with authenticated or state-changing functionality should carry at least SAMEORIGIN, or DENY if it never needs to be framed. The old ALLOW-FROM was deprecated due to inconsistent browser support, so to allow specific origins use CSP.
The modern replacement is CSP's frame-ancestors directive: it can list multiple allowed origins and is more flexible, and modern browsers prefer CSP frame-ancestors when both headers are present.
X-Frame-Options: <DENY | SAMEORIGIN>e.g. X-Frame-Options: SAMEORIGIN
DENY | No site may frame this page (iframe/frame/object) at all. |
SAMEORIGIN | Only pages from the same origin may frame this page. |