Skip to content
Related Articles
Open in App
Not now

Related Articles

HTTP headers | X-Frame-Options

Improve Article
Save Article
  • Difficulty Level : Medium
  • Last Updated : 21 Feb, 2023
Improve Article
Save Article

HTTP headers are used to pass additional information with HTTP response or HTTP requests. The X-Frame-Options is used to prevent the site from clickjacking attacks. It defines whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. The frame-ancestors directive present in Content-Security-Policy(CSP) obsoletes X-Frame-Options. 


X-Frame-Options: directive


  • deny: This directive stops the site from being rendered in <frame> i.e. site can’t be embedded into other sites.
  • sameorigin: This directive allows the page to be rendered in the frame if frame has the same origin as the page.
  • allow-from uri: This directive has now became obsolete and shouldn’t be used. It is not supported by modern browser. In this the page can be rendered in the <frame> that is originated from specified uri.


  • On Apache: 
    To send the X-Frame-Options to all the pages of same originis, set this to your site’s configuration.
Header always set X-Frame-Options "sameorigin"
  • Open httpd.conf file and add the following code to deny the permission
header always set x-frame-options "DENY"
  • On Nginx: Open the server configuration file and add the following code to allow only from same origin
add_header x-frame-options "SAMEORIGIN" always;

Supported Browsers: The browsers supported by X-Frame-Options are listed below: 

  • Chrome
  • Internet Explorer
  • Safari
  • Firefox
  • Edge

Note: Only Internet Explorer and Microsoft Edge supports the allow-from directive.

My Personal Notes arrow_drop_up
Related Articles

Start Your Coding Journey Now!