The X-Frame-Options Header

The X Frame Options Header


The X Frame Options Header helps to prevent an attack called "clickjacking". In a clickjacking attack, the attacker places your site in an invisable frame on top of malicious content in the hopes that your site will entice the user to click, but in actuallity instead of clicking on your site, the user is clicking the malicious content.

By setting x-frame-options to "sameorigin" we are preventing your site from being allowed to be placed in a frame anywhere except on your own website. The potential downside to this would be if you need to iframe your website somewhere other than the same domain. We recommend trying this setting for a two week period to ensure there is no legitimate sites framing your site in.

If you have not received any reports of legitimate framing of your site after two weeks, you might consider bumping up the security of x-frame-options even more, and changing it to x-frame-options "deny" to block all framing of your site (including framing on your own website).

Come back next week for more information on securing your site using .htaccess

Written by Jesse Goll

Jesse G, grew up working on computers. He fondly remembers playing space invaders on a Tandy II. Jesse has over 12 years experience working in the industry on everything from single page brochure sites to multi-million dollar enterprise level sites. When not buried deep in the latest programming book. Jesse G enjoys fishing, camping, hiking, mountain biking, hunting, and spending time with his wife and twin daughters.