Prevents your website from being silently embedded inside another site's iframe — a technique used in clickjacking attacks to trick users into clicking things they can't see.
A clickjacking attack works like this: an attacker creates a malicious web page and embeds your site inside an invisible <iframe> layered on top of their own content. Your site looks invisible, but it's there. When a visitor thinks they're clicking a "Play Game" button on the attacker's page, they're actually clicking a "Transfer Money" button on your banking site loaded underneath.
X-Frame-Options tells browsers: "Don't allow this page to be loaded inside any iframe" (DENY) or "only allow it in iframes from the same site" (SAMEORIGIN). Browsers enforce this and refuse to render the framed page.
Imagine someone sets up a fake shop window with your store's interior projected onto it, then places their own price tags in front. Customers think they're reading your prices, but they're being misled. X-Frame-Options is a legal notice on your storefront: "This view cannot be reproduced in any other window."
Any website on the internet can embed your pages in an invisible iframe. Login forms, payment buttons, and account settings pages are all at risk.
X-Frame-Options: ALLOW-FROM https://partner.com
ALLOW-FROM was intended to allow specific trusted origins but is not supported in modern browsers (Chrome, Firefox, Safari all ignore it). Use CSP frame-ancestors instead for granular control.
X-Frame-Options: DENY
The page cannot be embedded in any iframe by anyone, including your own site. Use this for login pages, admin panels, and payment flows.
X-Frame-Options: SAMEORIGIN
The page can only be framed by pages on the exact same domain. Use this if your own site legitimately uses iframes (e.g. a preview feature).
add_header X-Frame-Options "DENY" always;
Header always set X-Frame-Options "DENY"
Use Transform Rules → Modify Response Header to add X-Frame-Options: DENY as a static header for all responses.
If you're already configuring a Content Security Policy, use frame-ancestors instead — it's more flexible and fully supported in all modern browsers:
Content-Security-Policy: frame-ancestors 'none';
'none' is equivalent to DENY. 'self' is equivalent to SAMEORIGIN. You can also list specific trusted origins: frame-ancestors 'self' https://dashboard.yourdomain.com.