X-Frame-Options

The HTTP X-Frame-Options response header controls whether a browser is permitted to render a page inside a frame, iframe, embed, or object element.

Table of Contents

Usage
Values
Example
Takeaway
See also

Note

The "X-" naming convention for HTTP headers, "X" referring to "experimental", has been deprecated and needs to be transitioned to the formal naming convention for HTTP headers. X-Frame-Options is registered in the IANA permanent message headers registry and is defined in the HTML specification. The prefix reflects its origins before formal standardization.

Note

The frame-ancestors directive in the Content-Security-Policy header supersedes X-Frame-Options. Sites supporting modern browsers benefit from migrating to CSP frame-ancestors. Many servers still send both headers for backward compatibility.

Usage

Clickjacking attacks trick users into clicking hidden elements layered over a legitimate page. An attacker embeds the target site in a transparent iframe, positions a deceptive UI on top, and captures clicks intended for the framed content. X-Frame-Options prevents this by telling the browser whether the response is allowed to appear inside a frame.

The header accepts two active values: DENY and SAMEORIGIN. A third value, ALLOW-FROM, was defined in earlier implementations but is now obsolete and ignored by modern browsers.

Values

DENY

The DENY value blocks the page from being displayed in any frame, regardless of the requesting site. No framing is permitted under any circumstance.

SAMEORIGIN

The SAMEORIGIN value allows the page to be framed only by pages sharing the same origin. A page on https://example.re is allowed to frame another page from https://example.re, but a page on a different origin is blocked.

ALLOW-FROM (obsolete)

The ALLOW-FROM uri value once instructed the browser to permit framing only from the specified URI. Modern browsers no longer support this directive. The equivalent functionality is available through the CSP frame-ancestors directive:

Content-Security-Policy: frame-ancestors https://trusted.example.re

Example

Blocking all framing of a page, the strictest protection against clickjacking:

X-Frame-Options: DENY

Allowing same-origin framing while blocking external sites from embedding the page:

X-Frame-Options: SAMEORIGIN

A defense-in-depth configuration combining X-Frame-Options with the CSP frame-ancestors directive for broad browser coverage:

X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'

Takeaway

The X-Frame-Options header protects against clickjacking by controlling whether a browser renders the page inside a frame. The Content-Security-Policy frame-ancestors directive provides the same protection with greater flexibility.