Clickjacking is an interface-based attack that tricks a user into clicking on content in a decoy website, while the actual click interacts with actionable content in a hidden website. This can cause users to unwittingly download malware, visit malicious web pages, transfer money, provide credentials or sensitive information, or make online purchases.
X-Frame-Options: deny
The page cannot be displayed in a frame, regardless of the site attempting to do so.
X-Frame-Options: sameorigin
The page can only be displayed in a frame on the same origin as the page itself.
X-Frame-Options: allow-from http://example.com
The page can only be displayed in a frame on the specified origin.
To configure Apache to send the X-Frame-Options header for all pages, add this to your site's configuration file(httpd.conf):
Header always append X-Frame-Options SAMEORIGIN
To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:
To configure IIS to send the X-Frame-Options header, add the following code to your site's Web.config file:
<configuration>