Security6 min read

How to Set the X-Frame-Options Header

X-Frame-Options prevents clickjacking by controlling whether your pages can be embedded in iframes. This guide shows how to add it across all major web servers and platforms.

The X-Frame-Options header prevents clickjacking attacks by telling browsers whether your page is allowed to be displayed inside an <iframe>, <frame>, or <embed> element. This guide shows how to set it on every major web server and platform.

Choosing the Right Value

ValueEffectWhen to Use
DENYNo framing by anyone, including same originDefault for most sites — use unless you embed your own pages in iframes
SAMEORIGINFraming allowed by same-origin pages onlyWhen your own application legitimately uses iframes across pages
Also Set CSP frame-ancestorsFor modern browsers, combine X-Frame-Options with Content-Security-Policy: frame-ancestors 'none' (equivalent to DENY). CSP is the modern standard; X-Frame-Options covers legacy IE11 as a fallback.

Nginx

nginx
server { listen 443 ssl; server_name example.com; add_header X-Frame-Options "DENY" always; # ... rest of config }

Test and reload:

bash
sudo nginx -t && sudo systemctl reload nginx

Apache

Ensure mod_headers is enabled (sudo a2enmod headers), then:

apache
<VirtualHost *:443> <IfModule mod_headers.c> Header always set X-Frame-Options "DENY" </IfModule> </VirtualHost>

Or in .htaccess:

apache
<IfModule mod_headers.c> Header always set X-Frame-Options "DENY" </IfModule>
bash
sudo systemctl reload apache2

IIS (web.config)

xml
<system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="DENY" /> </customHeaders> </httpProtocol> </system.webServer>

Caddy

Command
example.com { header X-Frame-Options "DENY" # ... rest of config }

Cloudflare (Transform Rules)

  1. Go to RulesTransform RulesModify Response Header.
  2. Add a rule with Operation: Set, Header name: X-Frame-Options, Value: DENY.
  3. Deploy the rule.

Next.js

javascript
// next.config.mjs const nextConfig = { async headers() { return [ { source: '/(.*)', headers: [ { key: 'X-Frame-Options', value: 'DENY' }, ], }, ]; }, }; export default nextConfig;

Verifying the Header

bash
curl -I https://example.com | grep -i x-frame-options # Expected: x-frame-options: DENY

Or use the ShowDNS Security Headers Scanner.

Related Articles