HttpFixer โ†’ Glossary โ†’ X-Frame-Options
Security Header

X-Frame-Options

Last updated: April 2026

X-Frame-Options controls whether your page can be embedded in an iframe on other sites. It adds browser-level controls that limit how your page can be framed โ€” a common vector in clickjacking attacks.

Values

X-Frame-Options: DENY        # block all framing
X-Frame-Options: SAMEORIGIN  # allow same-origin framing only

DENY is the most secure. Use SAMEORIGIN if your own site embeds the page in an iframe.

Set in Nginx

add_header X-Frame-Options "SAMEORIGIN" always;

Modern alternative โ€” CSP frame-ancestors

CSP frame-ancestors supports specific allowed origins and overrides X-Frame-Options in modern browsers. Use both for maximum compatibility:

# Block all framing
add_header X-Frame-Options "DENY" always;
add_header Content-Security-Policy "frame-ancestors 'none'" always;

# Allow specific origin
add_header Content-Security-Policy "frame-ancestors 'self' https://trusted.com" always;

Verify

curl -sI https://yoursite.com | grep -i x-frame
Related: Scan your headers live Content Security Policy Security headers on Nginx
📚 HttpFixer Glossary โ€” all terms โ†’