[35]

Introduction

The HTTP X-Frame-Options response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites. The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options.

Syntax

There are two possible directives for X-Frame-Options:

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN

DENY

This directive prohibits the page from being displayed in a frame, regardless of the site attempting to do so. It ensures that the content cannot be embedded anywhere, providing robust protection against framing attacks.

SAMEORIGIN

This directive allows the page to be displayed in a frame only if the request originates from the same site. It permits embedding of content within the same domain but blocks external sites from framing the content.

ALLOW_FROM Directive

This was previously used to specify a particular origin permitted to frame the content is now considered obsolete and is not supported by most modern browsers.

For more granular control over which sites can embed your content, the Content-Security-Policy (CSP) header with the frame-ancestors directive is recommended.

Setting X-Frame-Options inside the <meta> element for example, <meta http-equiv=”X-Frame-Options” content=”deny”> has no effect. X-Frame-Options is only enforced via HTTP headers.

Configuring Nginx

To configure Nginx to send the X-Frame-Options header, add the following to your HTTP, server or location configuration:

add_header X-Frame-Options SAMEORIGIN always;

You can set X-Frame-Options to DENY using:

add_header X-Frame-Options DENY always;