Back to glossary

X-Frame-Options

An HTTP header used to indicate whether or not a browser should be allowed to render a page in a frame or iframe.

Categorysecurity

Overview

The X-Frame-Options header is primarily used to defend against clickjacking attacks. It ensures that your content cannot be embedded into other sites, preventing attackers from overlaying invisible elements on top of your page.

Directives

  • DENY: The page cannot be displayed in a frame, regardless of the site attempting to do so.
  • SAMEORIGIN: The page can only be displayed in a frame on the same origin as the page itself.
  • ALLOW-FROM uri: (Deprecated) The page can only be displayed in a frame on the specified origin.

Modern Alternative

The frame-ancestors directive in Content Security Policy (CSP) is the modern and more flexible replacement for X-Frame-Options.

Related Terms

ClickjackingSecurity HeaderContent Security Policy