HTTP headers | XFrameOptions (original) (raw)

HTTP headers | X-Frame-Options

Last Updated : 28 Apr, 2023

HTTP headers are used to pass additional information with HTTP responses or HTTP requests. The X-Frame-Options is used to prevent the site from clickjacking attacks. It defines whether or not a browser should be allowed to render a page in a , , , or . The frame-ancestors directive present in Content-Security-Policy(CSP) obsoletes X-Frame-Options.

Syntax:

X-Frame-Options: directive

Directives:

• deny: This directive stops the site from being rendered in i.e. site can't be embedded into other sites.
• sameorigin: This directive allows the page to be rendered in the frame if the frame has the same origin as the page.
• allow-from uri: This directive has now become obsolete and shouldn't be used. It is not supported by modern browsers. In this the page can be rendered in the that originated from a specified URI.

Examples:

• On Apache:
  To send the X-Frame-Options to all the pages of the same origins, set this to your site's configuration.

Header always set X-Frame-Options "sameorigin"

• Open httpd.conf file and add the following code to deny the permission

header always set x-frame-options "DENY"

• On Nginx: Open the server configuration file and add the following code to allow only from the same origin

add_header x-frame-options "SAMEORIGIN" always;

Supported Browsers: The browsers supported by X-Frame-Options are listed below:

• Chrome
• Internet Explorer
• Safari
• Firefox
• Edge

Note: Only Internet Explorer and Microsoft Edge support the allow-from directive.