Loading...
WebShield Audit
Medium severity
Missing X-Frame-Options
Prevents your website from being embedded in an iframe on another site. This stops "Clickjacking" attacks.
Business risk
In a Clickjacking attack, a user visits a malicious site which has your website loaded in an invisible iframe on top of a "Play Game" button. When they click "Play", they are actually clicking "Delete Account" on your site (if they are logged in). XFO tells the browser "Do not allow anyone to iframe me."
Technical details
Modern alternative: `Content-Security-Policy: frame-ancestors 'none'`. However, `X-Frame-Options: DENY` is still recommended for defense-in-depth and support for older tools. Use `SAMEORIGIN` if you need to frame your own pages within the same site.
How to detect it
Two headers can stop clickjacking: `X-Frame-Options: DENY` and `Content-Security-Policy: frame-ancestors 'none'`. Missing both means your page can be iframed anywhere. Check both on every HTML response.
Read X-Frame-Options
curl -sI https://yourdomain.com | grep -i x-frame-optionsRead frame-ancestors in CSP
curl -sI https://yourdomain.com | grep -i content-security-policy | grep -o "frame-ancestors[^;]*"Prove iframe embedding is blocked
echo '<iframe src="https://yourdomain.com"></iframe>' > test.html && open test.htmlCommon pitfalls
- Using `ALLOW-FROM uri`. It is deprecated, never worked in Chrome or Safari, and is ignored today. Use `Content-Security-Policy: frame-ancestors` for per-origin allowlists.
- Setting only `frame-ancestors` and dropping `X-Frame-Options`. Most browsers honor frame-ancestors and ignore XFO when both are present, but older IE and some scanners still check for XFO. Keep both for defense in depth.
- Forgetting that framework middleware strips headers on redirects. If your 301/302 handlers skip the security header middleware, those responses can be iframed. Set XFO globally.
- Using `SAMEORIGIN` when you actually need `DENY`. If no page on your site needs to be iframed by your own site, `DENY` is safer.
- Setting the header via `<meta http-equiv>`. XFO is header-only; meta tags are ignored.
Remediation guide
External references
Frequently asked questions
X-Frame-Options or CSP frame-ancestors?
Use both. `frame-ancestors` is the modern, spec'd replacement and supports allowlists (`frame-ancestors self https://partner.com`). `X-Frame-Options` remains as defense in depth for older tooling that does not parse CSP. They do not conflict.
DENY or SAMEORIGIN?
DENY if no page on your site ever needs to be iframed. SAMEORIGIN if you iframe your own pages (dashboards inside an admin shell, help articles inside a product). Never set `ALLOW-FROM` - it is deprecated everywhere.
My partner needs to embed us. What do I do?
Drop X-Frame-Options for that route and use `Content-Security-Policy: frame-ancestors https://partner.com` instead. XFO does not support per-origin allowlists; frame-ancestors does.
Keep going
Related guide
Missing Content Security Policy (CSP)
High severity · Content
Related guide
Unsafe Links (Reverse Tabnabbing)
Medium severity · Content
Related guide
Missing Permissions-Policy
Low severity · Privacy
Deep guide
CSP Safe Rollout: Report-Only to Enforce in Six Stages
Deploy a Content-Security-Policy that actually stops XSS - without shipping a broken site.
Free tool
CSP Checker
Validate your CSP in one scan - catches the mistakes linters miss.
Verify your fix
Applied the configuration change? Run a live scan to confirm the vulnerability is patched.