X-Frame-Options Header
Purpose
Why use this header at all?
X-Frame-Options tells the browser if other sites (or even the same site) may place this site within a frame.
Recommendation
Consider the Impact of Compliance section below to see if this recommendation works for you.
Enable this header, and set it to SAMEORIGIN if your site requires frames, or DENY if it does not. Content-Security-Policy values will replace this header in the future, and some browsers have had support removed.
Risk Mitigated
By following this recommendation, what risk is mitigated?
Enabling this header will help prevent clickjacking attacks, or attacks that show your site to the user and use CSS/JS tricks to have users input credentials, credit cards, and other information into a third party site.
Impact of Compliance
By using this header, you may expect these changes in your site's functionality
Frames have been considered a poor approach for decades. Unless you have a legacy site that relies on them, setting this header should have no impact.
Next Steps
What you can do to get there
Your server software should provide a mechanism for adding additional headers, such as this one.
Example
What this header may look like when implemented securely
X-Frame-Options: DENY
Read More!
Welcome! The library is new, and has some content to read over -- We'll be adding more soon!
- Cache Control
- Cookie Flags: Secure
- Cookie Flags: HTTPOnly
- HTTP Strict Transport Security (HSTS)
- HTTP Public Key Pinning (HPKP)
- Pragma
- Server
- X-Frame-Options
- X-Powered-By
- X-XSS-Protection