HTTP headers | X-Frame-Options

HTTP headers are used to pass additional information with HTTP response or HTTP requests. The X-Frame-Options is used to prevent the site from clickjacking attacks. It defines whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. The frame-ancestors directive present in Content-Security-Policy(CSP) obsoletes X-Frame-Options.


X-Frame-Options: directive


  • deny: This directive stops the site from being rendered in <frame> i.e. site can’t be embedded into other sites.
  • sameorigin: This directive allows the page to be rendered in the frame iff frame has the same origin as the page.
  • allow-from uri: This directive has now became obsolete and shouldn’t be used. It is not supported by modern browser. In this the page can be rendered in the <frame> that is originated from specified uri.


  • On Apache:
    To send the X-Frame-Options to all the pages of same originis, set this to your site’s configuration.

    Header always set X-Frame-Options "sameorigin"

    Open httpd.conf file and add the following code to deny the permission

    header always set x-frame-options "DENY"
  • On Nginx: Open the server configuration file and add the following code to allow only from same origin
    add_header x-frame-options "SAMEORIGIN" always;

Supported Browsers: The borwsers supoorted by X-Frame-Options are listed below:

  • Chrome
  • Internet Explorer
  • Safari
  • Firefox
  • Edge

Note: Only Internet Explorer and Microsoft Edge supports the allow-from directive.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using or mail your article to See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.

Improved By : Akanksha_Rai

Article Tags :


Please write to us at to report any issue with the above content.