http-header : x-frame-options

http-header : x-frame-options

It is a HTTP response header. This header is helpful in indicating whether or not a web browser should be allowed to render or load a page in a <frame>, <iframe> or <object> . Iframes find their use by helping in embedding and isolating the third-party content onto a website. Some examples of things which make use of iframes might take into consideration Google Maps, social media sharing buttons, video players, 3rd party advertising audio players, and maybe even some implementations of OAuth. By using this header, sites can avoid clickjacking attacks, by making sure that their content is not embedded into other sites.

This header faces few limitations when we talk about browser support and therefore needs to be checked before implementing it. In order to implement the mentioned protection, we got to add this header to any particular page that we want to protect as prevention against clickjacking through “framebusting”. Now, one of the ways to do this is by adding this header manually to each of the pages. A more possible and simpler means is to use a filter that automatically adds this header to each of the pages.


Enablement in Apache:

The below mentioned syntax needs to be added in “httpd.conf” and the web server restarted in order to verify the results.

Header always append X-Frame-Options DENY


Enablement in Nginx:

The syntax mentioned below needs to be added in “nginx.conf” under the server directive or block.

add_header X-Frame-Options “DENY”;

The web server needs to be restarted in order to verify the results


Enablement in Microsoft IIS:

The header is added by going to “HTTP Response Headers” for the respective site, where header name and value is entered and site restarted to view the results.



Or, we can just simply add the below mentioned syntax to our site’s “web.config” file.




<add name=”X-Frame-Options” value=”SAMEORIGIN” />








Copyrights ©2008: Valency Networks Pvt Ltd.