How to add HTTP headers ‘X-Frame-Options’ on iframe ?

Inline frame tag in HTML: The iframe tag is used to displaying or embedding another document within an HTML document. One of its attributes ‘src’ is used to specify the URL of the document which is to be displayed. A site’s X-frame Options can prevent allowing the display of one HTML document within another.

X-Frame Options: The X-Frame Options are not an attribute of the iframe or frame or any other HTML tags. It is a response header and is also referred to as HTTP security headers. This header tells the browser whether to render the HTML document in the specified URL or not. This plays an important role to prevent clickjacking attacks. Thus the X-Frame options cannot be set in the body of an HTML document. It is set by the domain from which the resource is requested. The X-Frame options available are:

  • deny: It prevents any URL being rendered within the containers like iframe, frame, objects, applets. Even if the page is from same site, when the X-Frame option is set to ‘deny’, it is not rendered.
  • SAMEORIGIN: It allows pages of same origin to be rendered. The page from the same site will be allowed to be displayed.
  • ALLOW-FROM uri: It allows the HTML documents from the specified uri only.

One can set the X-Frame Options in the web-config of the site which is to be loaded in an iframe.



For configuring in IIS write:

filter_none

edit
close

play_arrow

link
brightness_4
code

<httpProtocol>
  <customHeaders>
      <add name="X-Frame-Options" value="sameorigin"/>
  </customHeaders>
</httpProtocol>

chevron_right


For configuring Apache:

Header always set X-Frame-Options "sameorigin"

Note: The browsers Edge (version 12 and above), Internet Explorer (version 8 and above) support ALLOW-FROM uri in X-Frame-Options.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.