X-Frame-Options is a security HTTP header that controls whether a webpage can be embedded in an iframe, preventing clickjacking attacks.
What Is X-Frame-Options?
X-Frame-Options is an HTTP response header used to enhance web security by controlling how a website’s content can be embedded into iframes on other domains. This measure protects against clickjacking—an attack where users are tricked into clicking elements hidden under legitimate site content.
Why X-Frame-Options Matters for SEO & Security:
- Protects User Interaction – Prevents malicious overlays from hijacking clicks.
- Safeguards Sensitive Actions – Stops attackers from embedding forms or login screens elsewhere.
- Builds Trust – Keeps users confident about safe site interactions.
- Reduces Risk of Penalties – Google may flag unsafe sites in search results.
- Supports Compliance – Meets security best practices for regulated industries.
Common X-Frame-Options Values:
- DENY – Blocks embedding in all frames.
- SAMEORIGIN – Allows embedding only from the same domain.
- ALLOW-FROM (deprecated) – Specifies a single allowed domain for embedding.
How to Implement X-Frame-Options:
- Add the HTTP header in your server configuration (Apache, Nginx, etc.).
- For Apache:
apacheCopyEditHeader always set X-Frame-Options "SAMEORIGIN"
- For Nginx:
nginxCopyEditadd_header X-Frame-Options "SAMEORIGIN";
Example in Practice:
A bank’s website uses DENY to ensure sensitive online banking pages cannot be embedded elsewhere, reducing the risk of phishing attacks.
