X-Frame-Options header

It is possible to frame a website, within another website and then overlay that framed site with other content - one example of Clickjacking. This allows hackers to make user click on links on the underlying hidden site without realising it. For example if you are auto log in to Amazon.com, then it might line the "Buy now with 1-Click" button with another fake "button" on top. The user clicks the fake button, and accidentally buys something on Amazon.

X-Frame-Options is a HTTP header that the web server can return, which tells the browser whether to allow that website to be framed or not. Amazon incidentally does not allow this as it has this header set so above example should not be an issue.

To set this up it is a simple matter of adding the X-Frame-Options header to your web server config. In Apache this would be

This would deny all framing and show an error if any browser tried to frame this website. Alternatively, if you use framing on your own website then you could use the following instead:

There is another option to allow framing from named sites, with the addition of the ALLOW-FROM setting, but it is not well supported (Chrome does not support it at all for example) so we do not advise using it.

This option is very well supported in in all modern browsers if you ignore the ALLOW-FROM option. However this header was never standardized (hence the X- part of the name) and there are plans to replace it with equivalent options in CSP, but the support for that is not there yet so in the meantime we strongly advise using this header.

Note also that some browsers used to pick up this value from a meta entry on the HTML, for those that did not have access to the server config, but this was explicitly not allowed by the spec and even browsers that did support it like Chrome are removing the ability to specific the X-Frame-Options in meta tags.

The downsides

The main downside is if you need to use frames in your website, usually for legacy reasons, then you may not be able to use this setting. However you should at least be able to SAMEORIGIN option, even if you can't use the more secure DENY option. Other options (such as anti-clickjacking scripts) can be used when this setting cannot.

This is a simple option which most websites should be able to use, and which provides good protection with very little downside. So it's very depressing that only 5.95% of websites use this. We recommend you are not one of them.

This page was originally created on 09-Aug-2015 and last edited on 28-Jun-2022.