HttpFixer โ†’ Error โ†’ X-Frame-Options Missing
Security

X-Frame-Options Missing

Last updated: April 2026

Your site is missing the X-Frame-Options header. Without it, attackers can embed your page in an invisible iframe and trick users into clicking things on your page (clickjacking).

Scan your headers live โ†’

Fix for Nginx

add_header X-Frame-Options "SAMEORIGIN" always;
# Or to block all framing:
add_header X-Frame-Options "DENY" always;

Fix for Cloudflare (Transform Rule)

Header: X-Frame-Options
Value: SAMEORIGIN

Fix for Vercel

{ "key": "X-Frame-Options", "value": "SAMEORIGIN" }

Fix for Apache

Header always set X-Frame-Options "SAMEORIGIN"

Modern alternative โ€” CSP frame-ancestors

# Supports specific allowed origins (X-Frame-Options does not)
Content-Security-Policy: frame-ancestors 'none'
Content-Security-Policy: frame-ancestors 'self' https://trusted.com
Related: X-Frame-Options explained Security headers on Nginx Scan your headers