security

X-Frame-Options

Controls whether the page may be rendered inside a <frame>, <iframe>, <embed>, or <object>, defending against clickjacking. Superseded by CSP frame-ancestors but still widely honored for legacy clients.

X-Frame-Options: DENY  |  SAMEORIGIN

Common directives / values

Directive Purpose
DENY No framing at all, even by same-origin pages.
SAMEORIGIN Only same-origin pages may frame this response.
ALLOW-FROM <uri> Deprecated / unsupported in modern browsers — use CSP frame-ancestors instead.

Examples

X-Frame-Options: DENY

Safest choice for admin dashboards and auth flows — no framing anywhere.

X-Frame-Options: SAMEORIGIN

Common for apps that embed themselves in modals but block third-party framing.

X-Frame-Options: DENY\nContent-Security-Policy: frame-ancestors 'none'

Belt-and-braces: modern browsers use CSP; older ones honor XFO.

Content-Security-Policy: frame-ancestors https://embed.example.com

Preferred modern replacement — supports multiple origins, which ALLOW-FROM never really did.

Gotcha

ALLOW-FROM is dead in every current browser — do not rely on it. If CSP frame-ancestors is present, browsers ignore X-Frame-Options entirely (per CSP spec).

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors