X-Frame-Options Header Explained

Jul 16, 2026
Updated Jul 16, 2026 Security Headers x-frame-options x-frame-options header clickjacking header deny sameorigin

The X-Frame-Options HTTP response header controls whether a browser is allowed to render your page inside a <frame>, <iframe>, <embed>, or <object>. Its purpose is to stop clickjacking — an attack where a malicious site loads your page in a hidden or transparent frame and tricks users into clicking things they cannot see.

What is the X-Frame-Options header?

Standardised in RFC 7034, X-Frame-Options is a simple, single-purpose control. If an attacker frames your banking or admin page invisibly over their own decoy buttons, a victim thinks they are clicking the attacker's page but their clicks land on yours. Refusing to be framed removes that possibility entirely.

X-Frame-Options values

ValueEffect
DENYThe page can never be framed, by anyone — including your own site.
SAMEORIGINThe page may only be framed by pages from the same origin. The common, practical choice.

The old ALLOW-FROM uri value is deprecated and ignored by modern browsers — use CSP's frame-ancestors if you need to allow specific external origins.

Example X-Frame-Options header

X-Frame-Options: SAMEORIGIN

X-Frame-Options vs CSP frame-ancestors

The modern replacement for X-Frame-Options is the frame-ancestors directive of the Content-Security-Policy header, which is more flexible — it can allow a specific list of origins, which X-Frame-Options cannot. Best practice today is to set both: frame-ancestors for modern browsers and X-Frame-Options: SAMEORIGIN as a fallback for older ones.

How to check X-Frame-Options

Verify whether a site sends X-Frame-Options (and its frame-ancestors policy) with the free HTTP headers checker, or audit all of a site's headers together in the security headers guide.

Common mistakes

  • Relying on the deprecated ALLOW-FROM. It no longer works; use CSP frame-ancestors for allowlisting specific framers.
  • Setting only X-Frame-Options. Add CSP frame-ancestors too, since it is the standard modern control.
  • Using DENY when you legitimately frame your own pages. Choose SAMEORIGIN so same-origin embedding still works.

Related security headers

Clickjacking defence is one layer of a headers strategy alongside Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy.

Frequently asked questions

Is X-Frame-Options deprecated?

The header still works and browsers honour DENY and SAMEORIGIN, but the CSP frame-ancestors directive is the modern standard. Set both for the widest coverage.

What is the difference between DENY and SAMEORIGIN?

DENY blocks all framing, even by your own site. SAMEORIGIN allows framing only by pages on the same origin, which is usually what you want.

Does X-Frame-Options stop clickjacking completely?

For frame-based clickjacking, yes — a page that cannot be framed cannot be overlaid. Combine it with CSP frame-ancestors for full modern-browser coverage.

Scan for these vulnerabilities

Secably automatically detects the issues discussed in this article.

Start Free Scan