Explain
X-Frame-Options
Helps protect against clickjacking by controlling whether your site can be embedded in an iframe.
InfoCategory: headers
What it is
X-Frame-Options tells browsers whether your pages can be embedded in frames/iframes on other sites.
Recommended values
- DENY (strongest)
- SAMEORIGIN (allow iframing only on your own origin)
Modern note
CSP’s frame-ancestors is the modern replacement and is more flexible. Many sites use both for compatibility.
Related guides