X-Frame-Options

X-Frame-Options is an HTTP response header that controls whether a page can be embedded in an iframe on another site. Setting it to DENY or SAMEORIGIN prevents clickjacking attacks, where an attacker overlays an invisible iframe over their malicious page to trick users into clicking on your site's controls. It is being superseded by the frame-ancestors directive in CSP but remains important for older browser compatibility. Most security scanners flag missing X-Frame-Options as a medium-severity finding.

Why it matters for your website

• 1Simple HTTP header with immediate security improvement at no performance cost
• 2Checked by automated security scanners and compliance tools
• 3Missing headers are flagged as medium-to-high severity findings