Clickjacking is an interface-based attack that tricks a user into clicking on content in a decoy website, while the actual click interacts with actionable content in a hidden website. This can cause users to unwittingly download malware, visit malicious web pages, transfer money, provide credentials or sensitive information, or make online purchases.
The page cannot be displayed in a frame, regardless of the site attempting to do so.
The page can only be displayed in a frame on the same origin as the page itself.
X-Frame-Options: allow-from http://example.com
The page can only be displayed in a frame on the specified origin.
To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration file(httpd.conf):
Header always append X-Frame-Options SAMEORIGIN
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
To configure IIS to send the X-Frame-Options header, add the following code to your site's Web.config file:<configuration>