How Do You Configure Your Web Server to Include an X-Frame-Options Header?


Angela Bailey

How Do You Configure Your Web Server to Include an X-Frame-Options Header?

If you want to protect your website from clickjacking attacks, it is essential to configure your web server to include an X-Frame-Options header. This header tells the browser whether or not your website can be displayed within an iframe on another domain.

What is Clickjacking?

Clickjacking is a malicious technique used by attackers to trick users into clicking on something they didn’t intend to. It involves overlaying invisible or disguised elements on top of legitimate content, making users unknowingly interact with hidden actions. By using iframes, attackers can load other websites or execute actions without the user’s knowledge.

The Importance of X-Frame-Options Header

The X-Frame-Options header provides a simple way to defend against clickjacking attacks. It allows webmasters to control whether their website can be embedded within iframes on other domains. By setting this header correctly, you can prevent unauthorized parties from loading your website in a frame and protect your users’ interactions.

Configuring the X-Frame-Options Header

To configure your web server to include the X-Frame-Options header, follow these steps:

  1. Identify Your Web Server Software: The method for configuring headers varies depending on the web server software you are using. The most popular ones include Apache, Nginx, and IIS.
  2. Apache: If you are using Apache as your web server software, you can add the following line to your .htaccess file:
      <IfModule mod_headers.c>
        Header always append X-Frame-Options SAMEORIGIN
  1. Nginx: If you are using Nginx, add the following line to your server configuration:
      add_header X-Frame-Options SAMEORIGIN;
  1. IIS: For IIS servers, open the web.config file and add the following code inside the <system.webServer> section:
          <add name="X-Frame-Options" value="SAMEORIGIN" />

Understanding the X-Frame-Options Values

The X-Frame-Options header supports three values:

  • DENY: This value prevents your website from being loaded in any iframe on any domain.
  • SAMEORIGIN: With this value, your website can only be loaded in iframes on pages that originate from the same domain.
  • ALLOW-FROM uri: This value allows your website to be loaded in iframes on a specific domain specified by the URI. Note that this value is deprecated and not supported by all browsers.

Testing Your Configuration

To test whether your web server is correctly sending the X-Frame-Options header, you can use browser developer tools or online tools like These tools will show you the response headers of your website and indicate whether the X-Frame-Options header is present and configured correctly.


Protecting your website from clickjacking attacks is crucial for maintaining the security and integrity of your users’ interactions. By configuring your web server to include the X-Frame-Options header, you can effectively defend against clickjacking attempts and ensure that your website is displayed only in trusted iframes. Remember to choose the appropriate value for X-Frame-Options based on your specific requirements!

Discord Server - Web Server - Private Server - DNS Server - Object-Oriented Programming - Scripting - Data Types - Data Structures

Privacy Policy