How to add X-Frame-Options to prevent Clickjacking Print

  • X-Frame-Options, Stop Clickjacking, Prevent Clickjacking, Disable iFrames
  • 100

What is X-Frame-Options

X-Frame-Options is an HTTP header that gives you control over how your website may be presented within an iframe on an external website or application. While that may be useful in a number of ways, it makes your website users vulnerable to Clickjacking attacks.

Clickjacking allows hackers to trick users into clicking on malicious links by making such links appear as though they are legitimately on your website. This is why the use of the X-Frame-Options header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options as early as possible. 

Please keep in mind that X-Frame-Options has been superseded by the CSP - Content Security Policy’s frame-ancestors directive. CSP allows considerably more granular control over the origins allowed to frame a site. As frame-ancestors is not yet supported in older browsers like IE11, and even the modern ones like Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is advisable that websites deploy X-Frame-Options in addition to using the CSP.

Websites that require the ability to be iframed must use either CSP and/or employ JavaScript defenses to prevent clickjacking from malicious origins.


  • DENY: disallow allow attempts to iframe site (recommended)
  • SAMEORIGIN: allow the site to iframe itself
  • ALLOW-FROM uri: deprecated; instead use CSP’s frame-ancestors directive

X-Frame-Options Examples

# Block site from being framed with X-Frame-Options and CSP
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: DENY
# Only allow my site to frame itself
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN
# Allow only to frame site
# Note that this blocks framing from browsers that don't support CSP2+
Content-Security-Policy: frame-ancestors
X-Frame-Options: DENY

How to easily add X-Frame-Options to Website

Simply add the following code snippet to your .htaccess file inside the public_html directory. You can access it by using your Rocket Domains Dashboard.Website, and then using the "File Manager" option under the "Sites" Tab.

Header always set X-FRAME-OPTIONS "DENY"

More useful tips for your business

Google confirms domain does not affect site SEO

The Whys and Hows of Backing Up Your WordPress Website

Why Google Workspace is Great for Your Business

How to Submit Your Website to Search Engines in a Few Steps

Remote Backups for Google Cloud Hosting

Was this answer helpful?

« Back