securityheaders.fyi
Framing

X-Frame-Options

Build a config with this header →

X-Frame-Options controls whether a browser may render your page inside a <frame>, <iframe>, <embed>, or <object> — the basis of clickjacking. DENY blocks all framing; SAMEORIGIN allows only your own origin. It's the legacy mechanism: the modern equivalent is CSP frame-ancestors, which is more flexible and respected by current browsers. Send both for the widest coverage. MDN

Example

X-Frame-Options: DENY

Options

OptionTypeDefaultNotes
value select (DENY / SAMEORIGIN) DENY

Scoring

Contributes up to 12 points to your grade .

Full specification on MDN ↗