What is X-Frame-Options
X-Frame-Options is an HTTP header that gives you control over how your website may be presented within an iframe on an external website or application. While that may be useful in a number of ways, it makes your website users vulnerable to Clickjacking attacks.
Clickjacking allows hackers to trick users into clicking on malicious links by making such links appear as though they are legitimately on your website. This is why the use of the X-Frame-Options
header is mandatory for all new websites, and all existing websites are expected to add support for X-Frame-Options
as early as possible.
Please keep in mind that X-Frame-Options
has been superseded by the CSP - Content Security Policy’s frame-ancestors
directive. CSP allows considerably more granular control over the origins allowed to frame a site. As frame-ancestors
is not yet supported in older browsers like IE11, and even the modern ones like Edge, Safari 9.1 (desktop), and Safari 9.2 (iOS), it is advisable that websites deploy X-Frame-Options
in addition to using the CSP.
Websites that require the ability to be iframed must use either CSP and/or employ JavaScript defenses to prevent clickjacking from malicious origins.
Directives
DENY
: disallow allow attempts to iframe site (recommended)SAMEORIGIN
: allow the site to iframe itselfALLOW-FROM
uri
: deprecated; instead use CSP’sframe-ancestors
directive
X-Frame-Options Examples
# Block site from being framed with X-Frame-Options and CSP
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: DENY
# Only allow my site to frame itself
Content-Security-Policy: frame-ancestors 'self'
X-Frame-Options: SAMEORIGIN
# Allow only my.rocket.domains to frame site
# Note that this blocks framing from browsers that don't support CSP2+
Content-Security-Policy: frame-ancestors https://framer.rocket.domains
X-Frame-Options: DENY
How to easily add X-Frame-Options to Website
Simply add the following code snippet to your .htaccess file inside the public_html directory. You can access it by using your Rocket Domains Dashboard.Website, and then using the "File Manager" option under the "Sites" Tab.
Header always set X-FRAME-OPTIONS "DENY"
More useful tips for your business
Google confirms domain does not affect site SEO
The Whys and Hows of Backing Up Your WordPress Website
Why Google Workspace is Great for Your Business