The X-Frame-Options header is an HTTP response header indicating if a browser can use particular instructions such as “frame,” “iframe,” and “embed.” This header is essential to prevent clickjacking attacks.
By controlling permissible instructions, website owners can prevent content from being embedded on other sites. However, the instruction only works on web browsers that recognize and support X-Frame-Options.
Most popular web browsers today support the X-Frame-Options header. They include:
- Google Chrome
- Mozilla Firefox
- Internet Explorer
- Microsoft Edge
When to Configure the X-Frame-Options Header
On occasion, some frame content may not load in some browsers. This failure to load will result in an (often) glaringly blank space on the web page. If this situation occurs, you may need to configure the X-Frame-Options header.
You can also check for this error by loading the developer console or developer tools in your browser. The console should highlight X-Frame-Options header errors with messages such as “
Refused to display ‘https://thewebsite.com/’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin.’
How to Configure the X-Frame-Options Header
Most hosting accounts will set the default X-Frame-Options header as “sameorigin.” This setting should work fine if that is your intention. If you want to share content on various websites, then the X-Frame-Options header must be disabled.
To disable the header:
- Step 1. Log in to the SPanel account for your website.
- Step 2. Click on “File Manager” in the “Files” section, then navigate to your public_html directory.
- Step 3. Click the “.htaccess” file and select “Edit” to open it.
- Step 4. Add the “Header always unset X-Frame-Options” instruction to the .htaccess file, then save the file when exiting.
While frames are helpful to optimize performance in content display, they can also be made use of by attackers. These attacks make use of frames to make them click on specific elements like buttons or links.
The term “clickjacking” originates from this – the hijack of what should be regular content of a website and diverting visitor actions elsewhere. Clickjacking is bad for site owners and visitors. The former loses potential clicks and may suffer reputational damage.
Consequences for site visitors can range from mild (annoyance at diversion) to severe (diversion towards harmful content such as malware).