1000 FAQs, 500 tutorials and explanatory videos. Here, there are only solutions!
Implementation of the header "X-Frame-Options
This guide details the "X-Frame-Options" header, which can be used to protect against clickjacking attacks. Note that the "X-Frame-Options" header may not be supported by all web browsers. It is therefore recommended to combine it with other methods to enhance the security of your website.
Possible values for the header
The "X-Frame-Options" header can be set to prevent a website from being loaded in a frame or iframe. There are three possible values for this header:
- "DENY": the website cannot be loaded in a frame or iframe
- "SAMEORIGIN": the website can be loaded in a frame or iframe only if the source of the frame or iframe belongs to the same domain as the website
- "ALLOW-FROM uri": the website can be loaded in a frame or iframe only from the specified URI
You can set this header by adding the following lines to your .htaccess file:
Header set X-Frame-Options "DENY"
or by using the header() function in PHP, as it is executed in FPM, in the same way as when disabling HSTS, for example:
header('X-Frame-Options: DENY');
Replace "DENY" with the desired value for this header.