X-Frame-Options header - HTTP | MDN (original) (raw)

Syntax

http

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

Directives

DENY

The document cannot be loaded in any frame, regardless of origin (both same- and cross-origin embedding is blocked).

SAMEORIGIN

The document can only be embedded if all ancestor frames have the same origin as the page itself.

ALLOW-FROM origin

This is an obsolete directive. Modern browsers that encounter response headers with this directive will ignore the header completely. The Content-Security-Policy HTTP header has a frame-ancestors directive which you should use instead.

Examples

**Warning:**Setting X-Frame-Options inside the element (e.g., <meta http-equiv="X-Frame-Options" content="deny">) has no effect. X-Frame-Options is only enforced via HTTP headers, as shown in the examples below.

Configuring Apache

To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration:

apacheconf

Header always set X-Frame-Options "SAMEORIGIN"

To configure Apache to set X-Frame-Options to DENY, add this to your site's configuration:

apacheconf

Header set X-Frame-Options "DENY"

Configuring Nginx

To configure Nginx to send the X-Frame-Options header, add this either to your http, server or location configuration:

nginx

add_header X-Frame-Options SAMEORIGIN always;

You can set the X-Frame-Options header to DENY using:

nginx

add_header X-Frame-Options DENY always;

Configuring IIS

To configure IIS to send the X-Frame-Options header, add this to your site's Web.config file:

xml

<system.webServer>
  …
  <httpProtocol>
    <customHeaders>
      <add name="X-Frame-Options" value="SAMEORIGIN" />
    </customHeaders>
  </httpProtocol>
  …
</system.webServer>

For more information, see the Microsoft support article on setting this configuration using the IIS Manager user interface.

Configuring HAProxy

To configure HAProxy to send the X-Frame-Options header, add this to your front-end, listen, or backend configuration:

rspadd X-Frame-Options:\ SAMEORIGIN

Alternatively, in newer versions:

http-response set-header X-Frame-Options SAMEORIGIN

Configuring Express

To set X-Frame-Options to SAMEORIGIN using Helmet add the following to your server configuration:

js

import helmet from "helmet";

const app = express();
app.use(
  helmet({
    xFrameOptions: { action: "sameorigin" },
  }),
);

Specifications

Browser compatibility

See also

• Content-Security-Policy directive frame-ancestors
• ClickJacking Defenses - IEBlog
• Combating ClickJacking with X-Frame-Options - IEInternals