HTTP headers are used to pass additional information with HTTP response or HTTP requests. The X-Frame-Options is used to prevent the site from clickjacking attacks. It defines whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. The frame-ancestors directive present in Content-Security-Policy(CSP) obsoletes X-Frame-Options.
- deny: This directive stops the site from being rendered in <frame> i.e. site can’t be embedded into other sites.
- sameorigin: This directive allows the page to be rendered in the frame iff frame has the same origin as the page.
- allow-from uri: This directive has now became obsolete and shouldn’t be used. It is not supported by modern browser. In this the page can be rendered in the <frame> that is originated from specified uri.
- On Apache:
To send the X-Frame-Options to all the pages of same originis, set this to your site’s configuration.
Header always set X-Frame-Options "sameorigin"
Open httpd.conf file and add the following code to deny the permission
header always set x-frame-options "DENY"
- On Nginx: Open the server configuration file and add the following code to allow only from same origin
add_header x-frame-options "SAMEORIGIN" always;
Supported Browsers: The borwsers supoorted by X-Frame-Options are listed below:
- Internet Explorer
Note: Only Internet Explorer and Microsoft Edge supports the allow-from directive.
- HTTP headers | Access-Control-Expose-Headers
- HTTP headers | Access-Control-Allow-Headers.
- HTTP headers | Access-Control-Request-Headers
- HTTP headers | Location
- HTTP headers | User-Agent
- HTTP headers | Link
- HTTP headers | Save-Data
- HTTP headers | Content-Type
- HTTP headers | X-XSS-Protection
- HTTP headers | Last-Modified
- HTTP headers | Date
- HTTP headers | Cookie
- HTTP headers | Strict-Transport-Security
- HTTP headers | Expect
- HTTP headers | Accept-Encoding
- HTTP headers | Proxy-Authenticate
- HTTP headers | Content-Range
- HTTP headers | Content-Encoding
- HTTP headers | Content-Language
- HTTP headers | X-Content-Type-Options
If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to email@example.com. See your article appearing on the GeeksforGeeks main page and help other Geeks.
Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.
Improved By : Akanksha_Rai