This post is also available in:
Français (French)
The HTTP header X-Frame-Options prevents your content from being loaded in an unauthorized <frame> or <iframe>, thereby neutralizing clickjacking attempts.
What is the X-Frame-Options Header?
It’s an HTTP response header that tells the browser whether a page can be displayed in a frame. Its presence triggers a check of the parent domain before content rendering.
Why Implement X-Frame-Options?
- Prevents clickjacking by blocking content embedding in an external frame.
- Preserves user trust by preventing malicious redirects via frames.
- Simplifies compliance with web security standards without impacting performance.
X-Frame-Options Values
- DENY: Prohibits any embedding of the page in a frame, regardless of origin.
- SAMEORIGIN: Allows framing only from the same domain.
- ALLOW-FROM <uri>: Permits a specified origin (deprecated and poorly supported).
The ALLOW-FROM directive is obsolete; for finer control, prefer frame-ancestors in a Content Security Policy.
Deployment Steps
- Audit needs and identify pages requiring legitimate framing.
- Choose the appropriate directive (DENY or SAMEORIGIN).
- Apply the header in report-only mode to collect potential errors without blocking users.
- Validate no impact on legitimate use cases.
- Deploy the header in production and monitor error feedback in HTTP logs.
- If external framing is necessary, supplement with the frame-ancestors directive of the CSP.
Configuration Examples
Nginx
server { listen 443 ssl; server_name exemple.com www.exemple.com; add_header X-Frame-Options "DENY" always; # Autres directives SSL… }
Apache (.Htaccess)
<IfModule mod_headers.c> Header always set X-Frame-Options "SAMEORIGIN" </IfModule>
WordPress (Functions.Php)
add_action('send_headers', function(){ header('X-Frame-Options: DENY'); });
Our X-Frame-Options Implementation Services
At Dimension Internet, we provide:
- auditing your architecture and framing needs,
- defining a tailored X-Frame-Options strategy,
- integrating the header into your server (Apache, Nginx, CDN),
- testing and validation in a pre-production environment,
- continuous monitoring and maintenance of your framing policy.
Conclusion
The X-Frame-Options header provides a simple and robust defense against clickjacking, strengthens user trust, and contributes to compliance with web security standards. Dimension Internet supports you from initial audit to operational monitoring for seamless deployment. By combining X-Frame-Options and the frame-ancestors directive of the CSP, you benefit from optimal protection against framing attacks and ensure your site’s reputation and security.