What is X-Frame-Options?

X-Frame-Options is an HTTP response header that tells browsers whether a page is allowed to be rendered inside a frame (iframe, frame, embed, or object element). It prevents clickjacking attacks where a malicious site embeds your page in an invisible frame and tricks users into clicking on it - performing actions on your site without their knowledge.

Values

  • DENY - the page cannot be displayed in any frame, regardless of the framing site
  • SAMEORIGIN - the page can only be framed by pages on the same origin

Relationship to CSP frame-ancestors

The CSP frame-ancestors directive provides the same protection with more granularity - it allows specifying exact origins that may frame the page. In modern browsers, frame-ancestors takes precedence over X-Frame-Options. For maximum compatibility, set both:

X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'

SurfaceLoop checks for both X-Frame-Options and CSP frame-ancestors across all your domains, flagging pages that are vulnerable to clickjacking.

Map your attack surface - first scan free