Get started for free Log in

Knowledge base

1000 FAQs, 500 tutorials and instructional videos. Here, there are only solutions!

Knowledge baseSetting up the "X-Frame-Options" header
Search

Setting up the "X-Frame-Options" header

This guide details the header X-Frame-Options, used to protect your site against clickjacking (click hijacking).

The value ALLOW-FROM is now obsolete. To allow a specific domain, it is recommended to use the header Content-Security-Policy (CSP) with the directive frame-ancestors.

 

Values for the X-Frame-Options header

This header tells the browser whether to allow or not the display of your page in a <frame> or <iframe> tag.

  1. "DENY" : Complete prohibition. The site cannot be loaded in any frame, even from your own site.
  2. "SAMEORIGIN" : Allows display in an iframe only if the parent site has the same domain as the content.

Implement the header

Via the .htaccess file (recommended for the entire site) :

Header set X-Frame-Options "SAMEORIGIN"

Or via PHP (for a specific page) :

<?php
header('X-Frame-Options: SAMEORIGIN');
?>

 

The modern alternative: Content-Security-Policy (CSP)

If you need to allow a specific external site (e.g. domain.xyz) to embed your content, do not use X-Frame-Options but the following header in your .htaccess :

Header set Content-Security-Policy "frame-ancestors 'self' https://domain.xyz"

This rule allows your own site ('self') as well as domain.xyz to display you in an iframe.

Link to this FAQ:

https://faq.infomaniak.com/360

Has this FAQ been helpful?