Header guide

X-Frame-Options

X-Frame-Options controls whether another page can embed your site inside a frame.

01

Why Framing Matters

Clickjacking attacks place a real page inside a hidden or misleading frame, then trick a user into clicking something they did not intend to click.

Blocking framing is a simple protection for login pages, account pages, billing pages, and admin tools.

02

DENY Or SAMEORIGIN

Use DENY when the page should never be framed. Use SAMEORIGIN when pages from the same site may embed it.

Modern CSP can also handle this with frame-ancestors, but X-Frame-Options remains a useful compatibility header.

03

Examples

Use DENY for account settings, payment pages, and admin screens.

Use SAMEORIGIN when your own pages need to embed a trusted internal route.

FAQ

Common questions

Should I use X-Frame-Options and CSP frame-ancestors?

Yes, many sites send both. CSP frame-ancestors is more flexible, while X-Frame-Options is simple and widely understood.

Does ALLOW-FROM still work?

Do not rely on ALLOW-FROM. Browser support is limited and CSP frame-ancestors is the better option.

Can X-Frame-Options replace CSP?

No. It only controls framing. CSP covers many more browser loading rules.

Should public pages block framing?

Most public pages can block framing unless you intentionally support embedding.

What happens when a page is blocked from framing?

The browser refuses to render it inside the frame, which helps prevent clickjacking.