X-Frame-Options is an HTTP response header that instructs browsers whether to allow a web page to be rendered inside a <frame>, <iframe>, or <object> element. Its primary purpose is to prevent clickjacking attacks, where an attacker overlays a transparent iframe containing a legitimate site over a deceptive page, tricking users into clicking elements on the hidden site without realizing it. By controlling framing behavior, this header ensures users interact only with visible, intended content.
How It Works
The X-Frame-Options header supports three directives. DENY prevents the page from being framed entirely, regardless of the origin attempting to embed it. SAMEORIGIN allows framing only by pages on the same origin as the content itself. ALLOW-FROM uri permits framing only from a specific specified origin, though this directive has limited browser support and has been deprecated in favor of the more flexible Content Security Policy frame-ancestors directive.
When a browser receives a response with X-Frame-Options set, it checks whether the current framing context is permitted. If the page is being loaded inside an iframe and the header forbids it, the browser refuses to render the content and typically displays a blank frame or an error. This check happens client-side, so the server cannot detect whether framing was attempted; it simply sends the header with every response and relies on the browser to enforce the policy.
The modern replacement for X-Frame-Options is the Content Security Policy frame-ancestors directive, which provides more granular control. While frame-ancestors 'none' is equivalent to DENY and frame-ancestors 'self' matches SAMEORIGIN, the CSP directive also supports multiple origins, wildcards, and scheme-based restrictions. Best practice is to set both headers for backward compatibility with older browsers that do not support CSP.
Why It Matters
Clickjacking remains a viable attack vector, particularly against applications with sensitive one-click actions like changing account settings, transferring funds, or granting permissions. Missing X-Frame-Options headers are a common finding in security assessments and, while often rated as low severity in isolation, can be chained with social engineering to produce significant impact. Properly configuring framing controls is a straightforward defense that eliminates an entire class of user interface manipulation attacks.
Need your application tested? Get in touch.