HTTP security header
X-Frame-Options
X-Frame-Options tells the browser whether a page may be rendered inside a frame or iframe. Setting it to DENY (or SAMEORIGIN) prevents other sites from embedding the page and tricking users into clicking hidden elements - a clickjacking attack. Modern policies increasingly use CSP frame-ancestors, but X-Frame-Options remains widely supported.
Example
X-Frame-Options: DENYConfiguration guidance
- Use DENY unless the page must be framed by same-origin content (then SAMEORIGIN).
- Prefer CSP frame-ancestors for granular, modern control; send both for coverage.
Helps mitigate
Related headers
Impactr checks security-header configuration as part of testing your web apps and APIs the way an attacker would - and proves what a missing header actually exposes.
Test my app