• notice
  • Congratulations on the launch of the Sought Tech site

[Turn] X-Frame-Options prevent web pages from being placed in iframes

What are X-Frame-Options?

X-Frame-Options is an HTTP header (header) used to tell the browser whether this page can be placed in an iFrame. E.g:


  • X-Frame-Options: DENY

  • X-Frame-Options: SAMEORIGIN

  • X-Frame-Options: ALLOW-FROM http://caibaojian.com/


The first example tells the browser not to (DENY) put the page in an iFrame, usually to help users fight clickjacking.

The second example tells the browser to display the content of a page that issues X-Frame-Options only if the site hosting the iFrame is the same site that issued the X-Frame-Options.

The third example tells the browser that this web page can only be placed in the iFrame set up by the http://caibaojian.com// web page.

A web page that does not specify X-Frame-Options means that it can be placed inside any iFrame.

X-Frame-Options can protect your web pages from being placed in iFrames set by malicious websites, making users a victim of clickjacking.

There are two possible values for using X-Frame-Options:
  • DENY : The page cannot be displayed in a frame.

  • SAMEORIGHT : The page can only be displayed in the frame of the page on this site.

Sometimes in order to prevent the webpage from being iframed by other people's websites, we can set the X-Frame-Options information in the HTTP header on the server side.
  • The X-Frame-Options response header has three optional values:

  • DENY: The page cannot be embedded in any iframe or frame;

  • SAMEORIGIN: The page can only be embedded in an iframe or frame by the page of this site;

  • ALLOW-FROM: The page allows frame or frame loading.

The way to set it on the server is as follows:

copy code

Java code: response.addHeader( " x-frame-options " , " SAMEORIGIN " ); Nginx configuration: add_header X -Frame- Options SAMEORIGIN Apache configuration: Header always append X -Frame-Options SAMEORIGIN

copy code

In addition, after checking the latest information, you can also set it directly through the meta tag, no need to put it in the http header request.

<meta http-equiv="X-Frame-Options" content="deny">

Two parameters: (the role is the same as above)


  2. DENY

Solution: Add the following configuration to web.configcopy code

<system.webServer>   ...   <httpProtocol>     <customHeaders>       <add name= " X-Frame-Options " value= " SAMEORIGIN " />     </customHeaders>   </httpProtocol>   ... </system.webServer>

copy code


Technical otaku

Sought technology together

Related Topic


Leave a Reply