X-Frame-Options

Controls whether the page can be embedded in iframes. Prevents clickjacking.

Response

Syntax

X-Frame-Options: DENY | SAMEORIGIN | ALLOW-FROM <uri>

Example values

ValueExplanation
DENYNo framing
SAMEORIGINSame origin only

cURL usage

curl -I https://example.com  # Check framing policy

Common mistakes

ALLOW-FROM deprecated; use CSP frame-ancestors instead.

Related headers

X-Content-Type-Options

Tools

HTTP Header Viewer →