The X-Frame-Options header controls whether a browser can render a page in <frame>, <iframe>, <embed>, or <object>. Key defense against clickjacking.

Values: DENY (no framing), SAMEORIGIN (same-origin only), ALLOW-FROM uri (deprecated).

The modern replacement is frame-ancestors in Content-Security-Policy. For maximum compatibility, use both headers.

Check if your website sends this header correctly

Check your headers →

Web Server Security Hardening Checklist: Nginx and Apache

Complete web server hardening checklist for nginx and Apache. File permissions, security headers, TLS configuration, access control, and monitoring.

Reverse Proxy: How It Works and Why You Need One

Understand reverse proxies — how they work, their benefits for security, performance, and scalability, and how to configure Nginx as a reverse proxy.

Website SEO Audit: 20-Point Checklist

Practical SEO audit checklist: 20 points to check technical SEO, content, performance, and security.

Related Headers

Content-Security-Policy

Controls which resources the browser is allowed to load for a page, helping prevent XSS and data injection attacks.

Cross-Origin-Opener-Policy

Isolates the browsing context to prevent cross-origin attacks like Spectre from accessing sensitive data.

Cross-Origin-Resource-Policy

Restricts which origins can load a resource, preventing unauthorized cross-origin reads.

Permissions-Policy

Controls which browser features and APIs can be used on the page, such as camera, microphone, and geolocation.

Referrer-Policy

Controls how much referrer information is included with requests, balancing privacy with analytics needs.

Strict-Transport-Security

Instructs browsers to only access the site via HTTPS, protecting against protocol downgrade attacks and cookie hijacking.

Start monitoring for free

Create Account API Documentation

⚡

enterno.io

Website monitoring and analysis tools

Site Analysis HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS & Network DNS Lookup DNS Propagation WHOIS SSL Check CMS Detector Ping & Ports Traceroute IP Geolocation ASN Lookup IP/CIDR Calculator

Security Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content

SEO & AI & Utilities Robots.txt AI Readiness llms.txt Keywords SEO Audit Schema Checker Site Comparison Formatter Cron Tester JWT Decoder TTL Calculator Batch Check

Service API Documentation Pricing Help Compare Articles HTTP Headers Reference HTTP Status Codes Contact Privacy Policy Terms of Service Heartbeat Status Pages

PHP 8.4 · Hosting: Russia

X-Frame-Options

Syntax

Example

Description

Related Articles

Related Headers

Start monitoring for free