IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. HTTP Security Headers
  3. X-Frame-Options

HTTP security header

X-Frame-Options

X-Frame-Options tells the browser whether a page may be rendered inside a frame or iframe. Setting it to DENY (or SAMEORIGIN) prevents other sites from embedding the page and tricking users into clicking hidden elements - a clickjacking attack. Modern policies increasingly use CSP frame-ancestors, but X-Frame-Options remains widely supported.

Example

X-Frame-Options: DENY

Configuration guidance

  • Use DENY unless the page must be framed by same-origin content (then SAMEORIGIN).
  • Prefer CSP frame-ancestors for granular, modern control; send both for coverage.

Helps mitigate

Cross-Site Request Forgery (CSRF)

Related headers

Content-Security-Policy
MDN: X-Frame-Options

Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.

Test my app
← All security headers
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub