X-Frame-Options
Response header Security

Overview

X-Frame-Options is a security header that controls whether this page may be embedded inside another page's <iframe>, <frame>, or <object>. Its main purpose is clickjacking defense — stopping an attacker from overlaying your page as a transparent frame to hijack the user's clicks.

The widely supported values are DENY (block entirely) and SAMEORIGIN (allow only the same origin).

Details

In clickjacking, an attacker places your site (say a transfer or settings page) as an invisible iframe over their own page and positions decoy UI on top, so while users think they click the decoy they actually press a button inside the frame. Blocking framing outright with X-Frame-Options makes the attack impossible.

Every page with authenticated or state-changing functionality should carry at least SAMEORIGIN, or DENY if it never needs to be framed. The old ALLOW-FROM was deprecated due to inconsistent browser support, so to allow specific origins use CSP.

The modern replacement is CSP's frame-ancestors directive: it can list multiple allowed origins and is more flexible, and modern browsers prefer CSP frame-ancestors when both headers are present.

Syntax

X-Frame-Options: <DENY | SAMEORIGIN>

e.g. X-Frame-Options: SAMEORIGIN

Directives / values

DENYNo site may frame this page (iframe/frame/object) at all.
SAMEORIGINOnly pages from the same origin may frame this page.

Notes

Related headers

Related status codes

Specification