security
X-Frame-Options
Controls whether the page may be rendered inside a <frame>, <iframe>, <embed>, or <object>, defending against clickjacking. Superseded by CSP frame-ancestors but still widely honored for legacy clients.
X-Frame-Options: DENY | SAMEORIGIN Common directives / values
| Directive | Purpose |
|---|---|
| DENY | No framing at all, even by same-origin pages. |
| SAMEORIGIN | Only same-origin pages may frame this response. |
| ALLOW-FROM <uri> | Deprecated / unsupported in modern browsers — use CSP frame-ancestors instead. |
Examples
X-Frame-Options: DENY Safest choice for admin dashboards and auth flows — no framing anywhere.
X-Frame-Options: SAMEORIGIN Common for apps that embed themselves in modals but block third-party framing.
X-Frame-Options: DENY\nContent-Security-Policy: frame-ancestors 'none' Belt-and-braces: modern browsers use CSP; older ones honor XFO.
Content-Security-Policy: frame-ancestors https://embed.example.com Preferred modern replacement — supports multiple origins, which ALLOW-FROM never really did.
Gotcha
ALLOW-FROM is dead in every current browser — do not rely on it. If CSP frame-ancestors is present, browsers ignore X-Frame-Options entirely (per CSP spec).
Related headers
Content-Security-Policy
Restricts which sources of scripts, styles, images, frames, and other resources a page may load, mitigating XSS and data injection. Policies are a semicolon-separated list of directives, each with a source list ('self', 'none', hostnames, schemes, nonces, or hashes).
X-Content-Type-Options
Disables MIME-type sniffing in browsers, forcing them to trust the declared Content-Type. Blocks a class of attacks where user-uploaded files or HTML masquerading as another type would be executed as script.
Referrer-Policy
Controls how much of the current URL is sent as the Referer header on outgoing requests and navigations. Tightening it limits leakage of query strings, session tokens, and internal paths to third parties.
Strict-Transport-Security
HSTS instructs browsers to only connect over HTTPS for max-age seconds, upgrading any http:// URL and refusing to bypass TLS warnings. Once cached the policy is sticky for the whole duration.
Permissions-Policy
Allow-lists or blocks powerful browser features (camera, mic, geolocation, payment, etc.) at the document and per-iframe level. Replaces the older Feature-Policy header with a structured-fields syntax.