Contact us:

HTTP Security Headers: X-Frame-Options

Author: HollyGraceful    Published: 21 February 2022

The X-Frame-Options header can be used to specify whether a web browser should be allowed to render the target page in a frame (such as a frame, iframe, embed, or an object tag). This can be used to prevent attacks such as ClickJacking.

Although this header is effectively made obsolete by the Content-Security-Policy (CSP) feature frame-ancestors, it can still be a benefit for older browsers that do not support CSP - such as Internet Explorer, Chrome prior to version 40 (Released in 2015), and Firefox prior to version 33 (Released in 2014).

It is recommended that an X-Frame-Options header is configured for the application if framing should not be allowed, or if it should only the target application should be able to frame itself. The following header example would disable framing:

X-Frame-Options: DENY