What is X-Frame-Options?
X-Frame-Options is an HTTP response header that controls whether your page can be rendered inside an iframe on another site. Values are `DENY` (no framing) or `SAMEORIGIN` (framing only on your own origin). It is the older version of CSP's `frame-ancestors` directive — modern apps should set both.
In more detail
Clickjacking works by loading your site in an invisible iframe on top of a decoy page. The attacker positions their decoy so users click elements on your site without realizing — confirming purchases, sharing data, or changing account settings. X-Frame-Options stops this by telling the browser to refuse to render your site inside a frame.
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'Why this matters
Why builders care
Clickjacking is especially dangerous for apps with one-click destructive actions (subscribe, pay, delete). Both headers are free to add and have no downside unless you legitimately embed your own site.
Fix guides
Fix X-Frame-Options issues
Missing X-Frame-Options
Without X-Frame-Options or CSP frame-ancestors, attackers can embed your site in an invisible iframe to trick users into clicking things. Here is the fix.
Read moreMissing CSP header
A missing Content-Security-Policy header lets attackers inject scripts into your site. Here is what CSP does, why you need it, and how to add it in Next.js, Vercel, and Supabase apps.
Read moreFree tools
Check it yourself
Related terms
Keep learning
Content Security Policy
CSP is a browser feature that tells your site which scripts, styles, and images are allowed to run. It is the main defense against cross-site scripting (XSS).
Read moreCross-Site Request Forgery
CSRF tricks a logged-in user into performing actions on your site without realizing. SameSite cookies are the modern defense.
Read moreSee where your site stands
Paste a URL, get a score in 60 seconds. Free, no signup.