X-Frame-Options header¶

The X-Frame-Options HTTP response header is used to control whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>.^[600-developer-tools-security-strict-transport-security.md] The primary security objective of this header is to prevent [[Clickjacking]] attacks^[600-developer-tools-security-strict-transport-security.md].

Directives¶

The header accepts three possible values to determine embedding permissions^[600-developer-tools-security-strict-transport-security.md]:

• DENY: Prevents the page from being displayed in a frame, regardless of the site attempting to do so.^[600-developer-tools-security-strict-transport-security.md] For example, if www.example.com sets X-Frame-Options: DENY, users cannot embed it via <iframe> on www.google.com or any other domain^[600-developer-tools-security-strict-transport-security.md].
• SAMEORIGIN: Allows the page to be displayed only if the request originates from the same origin (scheme, host, and port)¹.^[600-developer-tools-security-strict-transport-security.md]
• ALLOW-FROM: Specifies a whitelist of origins permitted to embed the page^[600-developer-tools-security-strict-transport-security.md]. For instance, setting it to https://example.com restricts embedding to that specific URL^[600-developer-tools-security-strict-transport-security.md].

Implementation Examples¶

Setting the header is typically done via the server's response configuration^[600-developer-tools-security-strict-transport-security.md].

javascript res.setHeader('X-Frame-Options', 'DENY') res.setHeader('X-Frame-Options', 'SAMEORIGIN') res.setHeader('X-Frame-Options', 'ALLOW-FROM https://example.com')^[600-developer-tools-security-strict-transport-security.md]

Related Concepts¶

• [[Content-Security-Policy]] (Note: Modern implementations may use the frame-ancestors directive in place of X-Frame-Options).
• HTTP Security Headers

Sources¶

• 600-developer-tools-security-strict-transport-security.md