site logoTune The Web
I've written a book! - click here to view or buy "HTTP/2 in Action" from Manning. Use code 39pollard to get 39% off!

X-Frame-Options header

This page was originally created on and last edited on .

Introduction

It is possible to frame a website, within another website and then overlay that framed site with other content - one example of Clickjacking. This allows hackers to make user click on links on the underlying hidden site without realising it. For example if you are auto log in to Amazon.com, then it might line the "Buy now with 1-Click" button with another fake "button" on top. The user clicks the fake button, and accidentally buys something on Amazon.

X-Frame-Options is a HTTP header that the web server can return, which tells the browser whether to allow that website to be framed or not. Amazon incidentally does not allow this as it has this header set so above example should not be an issue.

How to set it up

To set this up it is a simple matter of adding the X-Frame-Options header to your web server config. In Apache this would be

#No framing content Header always append X-Frame-Options DENY

This would deny all framing and show an error if any browser tried to frame this website. Alternatively, if you use framing on your own website then you could use the following instead:

#No framing content except on this website Header always append X-Frame-Options SAMEORIGIN

There is another option to allow framing from named sites, with the addition of the ALLOW-FROM setting, but it is not well supported (Chrome does not support it at all for example) so we do not advise using it.

Support

This option is very well supported in in all modern browsers if you ignore the ALLOW-FROM option. However this header was never standardized (hence the X- part of the name) and there are plans to replace it with equivalent options in CSP, but the support for that is not there yet so in the meantime we strongly advise using this header.

Note also that some browsers used to pick up this value from a meta entry on the HTML, for those that did not have access to the server config, but this was explicitly not allowed by the spec and even browsers that did support it like Chrome are removing the ability to specific the X-Frame-Options in meta tags.

The downsides

The main downside is if you need to use frames in your website, usually for legacy reasons, then you may not be able to use this setting. However you should at least be able to SAMEORIGIN option, even if you can't use the more secure DENY option. Other options (such as anti-clickjacking scripts) can be used when this setting cannot.

Summary

This is a simple option which most websites should be able to use, and which provides good protection with very little downside. So it's very depressing that only 5.95% of websites use this. We recommend you are not one of them.

This page was originally created on and last edited on .

How useful was this page?
Loading interactions…