X-Frame-Options

An HTTP response header that controls whether a browser should allow a page to be displayed in an iframe.

Sep 7, 2025 · About 1 min read

Security

X-Frame-Options is an HTTP response header that indicates whether a browser should be allowed to render a page in a frame, iframe, embed, or object element. It was introduced as a defense against clickjacking attacks and is supported by all modern browsers.

The header accepts three values: DENY (the page cannot be displayed in any frame), SAMEORIGIN (the page can only be framed by pages from the same origin), and ALLOW-FROM uri (the page can be framed by the specified origin, though this value has limited browser support). HTTP security headers books on Amazon explain configuration options.

While X-Frame-Options remains widely used, the frame-ancestors directive in Content Security Policy (CSP) is the modern replacement. CSP's frame-ancestors offers more flexibility, supporting multiple origins and wildcard patterns. When both X-Frame-Options and CSP frame-ancestors are present, CSP takes precedence in browsers that support it.

For URL shortening services, setting X-Frame-Options to DENY or SAMEORIGIN on the management dashboard and content pages prevents these pages from being embedded in malicious sites. The redirect endpoints typically do not need frame protection since they immediately redirect rather than displaying content. Web hardening books on Amazon cover header configuration.

Share on X Hatena

Was this article helpful?

Related Terms

Clickjacking

An attack that tricks users into clicking on hidden elements by overlaying transparent frames on top of legitimate web pages.

CSP

Content Security Policy - an HTTP header that controls which resources a browser is allowed to load for a given page.

HTTPS

The secure version of HTTP that encrypts data transmitted between a browser and a web server using TLS.

Referrer-Policy

An HTTP header that controls how much referrer information is included when navigating from one page to another.

HTTP Header

Metadata sent alongside HTTP requests and responses. Used for cache control, authentication, specifying redirect destinations, and more.

Affiliate Link

A URL containing a unique tracking code that credits a referrer when a user makes a purchase or completes an action.

Short URL Security Guide - Best Practices for Safe Link Sharing

A comprehensive guide to short URL security best practices. Understand the risks and learn how to share links safely and responsibly.

Self-Hosting a URL Shortener: Full Link Control

Explore the benefits and challenges of running your own URL shortening service. Covers open-source tools, serverless architecture, and cost-performance tips.

Click Fraud Prevention: Protect Short URLs from Bots

Understand click fraud tactics and learn how to defend your short URLs. Covers bot detection, rate limiting, CAPTCHA strategies, and anomaly detection.

FAQ

What values can X-Frame-Options be set to?

DENY (blocks all iframe embedding), SAMEORIGIN (allows embedding only from the same origin), and ALLOW-FROM (allows embedding from a specific origin).

What's the difference between X-Frame-Options and CSP frame-ancestors?

frame-ancestors is the successor to X-Frame-Options and offers more flexible control, including the ability to specify multiple origins. When both are set, CSP takes precedence.

Ready to create a short URL?

Shorten a URL for Free