developer.mozilla.org
Open in
urlscan Pro
2600:9000:225e:a800:2:eb5:8c00:93a1
Public Scan
URL:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Submission: On March 31 via api from US — Scanned from DE
Submission: On March 31 via api from US — Scanned from DE
Form analysis 1 forms found in the DOM
/en-US/search
<form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant=""
aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autocomplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q"
placeholder=" " required="" value=""><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search
input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button>
<div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div>
</form>Text Content
* Skip to main content
* Skip to search
* Skip to select language
MDN Plus now available in your country! Support MDN and make it your own. Learn
more ✨
MDN Web DocsOpen main menu
* ReferencesReferences
* Overview / Web Technology
Web technology reference for developers
* HTML
Structure of content on the web
* CSS
Code used to describe document style
* JavaScript
General-purpose scripting language
* HTTP
Protocol for transmitting web resources
* Web APIs
Interfaces for building web applications
* Web Extensions
Developing extensions for web browsers
* Web Technology
Web technology reference for developers
* GuidesGuides
* Overview / MDN Learning Area
Learn web development
* MDN Learning Area
Learn web development
* HTML
Learn to structure web content with HTML
* CSS
Learn to style content using CSS
* JavaScript
Learn to run scripts in the browser
* Accessibility
Learn to make the web accessible to all
* MDN PlusMDN Plus
* Overview
A customized MDN experience
* Updates
All browser compatibility updates at a glance
* Documentation
Learn how to use MDN Plus
* FAQ
Frequently asked questions about MDN Plus
Search MDNClear search inputSearch
Theme
* Log in
* Get MDN Plus
1. References
2. HTTP
3. HTTP headers
4. X-Frame-Options
Article Actions
* English (US)
IN THIS ARTICLE
* Syntax
* Examples
* Specifications
* Browser compatibility
* See also
1. HTTP
2. Guides
3. Resources and URIs
1. Identifying resources on the Web
2. Data URLs
3. Introduction to MIME types
4. Common MIME types
5. Choosing between www and non-www URLs
4. HTTP guide
1. Basics of HTTP
2. Overview of HTTP
3. Evolution of HTTP
4. HTTP Messages
5. A typical HTTP session
6. Connection management in HTTP/1.x
7. Protocol upgrade mechanism
5. HTTP security
1. Content Security Policy (CSP)
2. HTTP Strict Transport Security (HSTS)
3. Cookie security
4. X-Content-Type-Options
5. X-Frame-Options
6. X-XSS-Protection
7. Mozilla web security guidelines
8. Mozilla Observatory
6. HTTP access control (CORS)
7. HTTP authentication
8. HTTP caching
9. HTTP compression
10. HTTP conditional requests
11. HTTP content negotiation
12. HTTP cookies
13. HTTP range requests
14. HTTP redirects
15. HTTP specifications
16. Permissions Policy
17. References
18. HTTP headers
1. Accept
2. Accept-CH
3. Accept-CH-Lifetime Non-standard Deprecated
4. Accept-Charset
5. Accept-Encoding
6. Accept-Language
7. Accept-Patch
8. Accept-Post
9. Accept-Ranges
10. Access-Control-Allow-Credentials
11. Access-Control-Allow-Headers
12. Access-Control-Allow-Methods
13. Access-Control-Allow-Origin
14. Access-Control-Expose-Headers
15. Access-Control-Max-Age
16. Access-Control-Request-Headers
17. Access-Control-Request-Method
18. Age
19. Allow
20. Alt-Svc
21. Authorization
22. Cache-Control
23. Clear-Site-Data
24. Connection
25. Content-Disposition
26. Content-DPR Non-standard Deprecated
27. Content-Encoding
28. Content-Language
29. Content-Length
30. Content-Location
31. Content-Range
32. Content-Security-Policy
33. Content-Security-Policy-Report-Only
34. Content-Type
35. Cookie
36. Critical-CH Experimental
37. Cross-Origin-Embedder-Policy
38. Cross-Origin-Opener-Policy
39. Cross-Origin-Resource-Policy
40. Date
41. Device-Memory Experimental
42. Digest
43. DNT Deprecated
44. Downlink Experimental
45. DPR Non-standard Deprecated
46. Early-Data Experimental
47. ECT Experimental
48. ETag
49. Expect
50. Expect-CT
51. Expires
52. Forwarded
53. From
54. Host
55. If-Match
56. If-Modified-Since
57. If-None-Match
58. If-Range
59. If-Unmodified-Since
60. Keep-Alive
61. Large-Allocation Non-standard Deprecated
62. Last-Modified
63. Link
64. Location
65. Max-Forwards
66. NEL Experimental
67. Origin
68. Permissions-Policy
69. Pragma Deprecated
70. Proxy-Authenticate
71. Proxy-Authorization
72. Range
73. Referer
74. Referrer-Policy
75. Retry-After
76. RTT Experimental
77. Save-Data Experimental
78. Sec-CH-Prefers-Reduced-Motion Experimental
79. Sec-CH-UA Experimental
80. Sec-CH-UA-Arch Experimental
81. Sec-CH-UA-Bitness Experimental
82. Sec-CH-UA-Full-Version Deprecated
83. Sec-CH-UA-Full-Version-List Experimental
84. Sec-CH-UA-Mobile Experimental
85. Sec-CH-UA-Model Experimental
86. Sec-CH-UA-Platform Experimental
87. Sec-CH-UA-Platform-Version Experimental
88. Sec-Fetch-Dest
89. Sec-Fetch-Mode
90. Sec-Fetch-Site
91. Sec-Fetch-User
92. Sec-GPC Experimental Non-standard
93. Sec-WebSocket-Accept
94. Server
95. Server-Timing
96. Service-Worker-Navigation-Preload
97. Set-Cookie
98. SourceMap
99. Strict-Transport-Security
100. TE
101. Timing-Allow-Origin
102. Tk Deprecated
103. Trailer
104. Transfer-Encoding
105. Upgrade
106. Upgrade-Insecure-Requests
107. User-Agent
108. Vary
109. Via
110. Viewport-Width Non-standard Deprecated
111. Want-Digest
112. Warning Deprecated
113. Width Non-standard Deprecated
114. WWW-Authenticate
115. X-Content-Type-Options
116. X-DNS-Prefetch-Control Non-standard
117. X-Forwarded-For Non-standard
118. X-Forwarded-Host Non-standard
119. X-Forwarded-Proto Non-standard
120. X-Frame-Options
121. X-XSS-Protection Non-standard
19. HTTP request methods
1. CONNECT
2. DELETE
3. GET
4. HEAD
5. OPTIONS
6. PATCH
7. POST
8. PUT
9. TRACE
20. HTTP response status codes
1. 100 Continue
2. 101 Switching Protocols
3. 102 Processing
4. 103 Early Hints Experimental
5. 200 OK
6. 201 Created
7. 202 Accepted
8. 203 Non-Authoritative Information
9. 204 No Content
10. 205 Reset Content
11. 206 Partial Content
12. 207 Multi-Status
13. 208 Already Reported
14. 226 IM Used
15. 300 Multiple Choices
16. 301 Moved Permanently
17. 302 Found
18. 303 See Other
19. 304 Not Modified
20. 307 Temporary Redirect
21. 308 Permanent Redirect
22. 400 Bad Request
23. 401 Unauthorized
24. 402 Payment Required
25. 403 Forbidden
26. 404 Not Found
27. 405 Method Not Allowed
28. 406 Not Acceptable
29. 407 Proxy Authentication Required
30. 408 Request Timeout
31. 409 Conflict
32. 410 Gone
33. 411 Length Required
34. 412 Precondition Failed
35. 413 Content Too Large
36. 414 URI Too Long
37. 415 Unsupported Media Type
38. 416 Range Not Satisfiable
39. 417 Expectation Failed
40. 418 I'm a teapot
41. 421 Misdirected Request
42. 422 Unprocessable Content
43. 423 Locked
44. 424 Failed Dependency
45. 425 Too Early
46. 426 Upgrade Required
47. 428 Precondition Required
48. 429 Too Many Requests
49. 431 Request Header Fields Too Large
50. 451 Unavailable For Legal Reasons
51. 500 Internal Server Error
52. 501 Not Implemented
53. 502 Bad Gateway
54. 503 Service Unavailable
55. 504 Gateway Timeout
56. 505 HTTP Version Not Supported
57. 506 Variant Also Negotiates
58. 507 Insufficient Storage
59. 508 Loop Detected
60. 510 Not Extended
61. 511 Network Authentication Required
21. CSP directives
1. CSP source values
2. CSP: base-uri
3. CSP: block-all-mixed-content Deprecated
4. CSP: child-src
5. CSP: connect-src
6. CSP: default-src
7. CSP: font-src
8. CSP: form-action
9. CSP: frame-ancestors
10. CSP: frame-src
11. CSP: img-src
12. CSP: manifest-src
13. CSP: media-src
14. CSP: object-src
15. CSP: plugin-types Non-standard Deprecated
16. CSP: prefetch-src Experimental
17. CSP: referrer Non-standard Deprecated
18. CSP: report-to
19. CSP: report-uri Deprecated
20. CSP: require-trusted-types-for Experimental
21. CSP: sandbox
22. CSP: script-src
23. CSP: script-src-attr
24. CSP: script-src-elem
25. CSP: style-src
26. CSP: style-src-attr
27. CSP: style-src-elem
28. CSP: trusted-types Experimental
29. CSP: upgrade-insecure-requests
30. CSP: worker-src
22. CORS errors
1. Reason: CORS disabled
2. Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'
3. Reason: CORS header 'Access-Control-Allow-Origin' missing
4. Reason: CORS header 'Origin' cannot be added
5. Reason: CORS preflight channel did not succeed
6. Reason: CORS request did not succeed
7. Reason: CORS request external redirect not allowed
8. Reason: CORS request not HTTP
9. Reason: Credential is not supported if the CORS header
'Access-Control-Allow-Origin' is '*'
10. Reason: Did not find method in CORS header
'Access-Control-Allow-Methods'
11. Reason: expected 'true' in CORS header
'Access-Control-Allow-Credentials'
12. Reason: invalid token 'xyz' in CORS header
'Access-Control-Allow-Headers'
13. Reason: invalid token 'xyz' in CORS header
'Access-Control-Allow-Methods'
14. Reason: missing token 'xyz' in CORS header
'Access-Control-Allow-Headers' from CORS preflight channel
15. Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed
23. Permissions-Policy directives
1. Permissions-Policy: accelerometer Experimental
2. Permissions-Policy: ambient-light-sensor Experimental
3. Permissions-Policy: autoplay Experimental
4. Permissions-Policy: battery Experimental
5. Permissions-Policy: camera
6. Permissions-Policy: display-capture
7. Permissions-Policy: document-domain Experimental
8. Permissions-Policy: encrypted-media Experimental
9. Permissions-Policy: execution-while-not-rendered Experimental
10. Permissions-Policy: execution-while-out-of-viewport Experimental
11. Permissions-Policy: fullscreen
12. Permissions-Policy: gamepad Experimental
13. Permissions-Policy: geolocation
14. Permissions-Policy: gyroscope Experimental
15. Permissions-Policy: hid Experimental
16. Permissions-Policy: identity-credentials-get Experimental
17. Permissions-Policy: idle-detection Experimental
18. Permissions-Policy: local-fonts Experimental
19. Permissions-Policy: magnetometer Experimental
20. Permissions-Policy: microphone
21. Permissions-Policy: midi Experimental
22. Permissions-Policy: payment Experimental
23. Permissions-Policy: picture-in-picture Experimental
24. Permissions-Policy: publickey-credentials-get Experimental
25. Permissions-Policy: screen-wake-lock Experimental
26. Permissions-Policy: serial Experimental
27. Permissions-Policy: speaker-selection Experimental
28. Permissions-Policy: usb Experimental
29. Permissions-Policy: web-share
30. Permissions-Policy: xr-spatial-tracking Experimental
IN THIS ARTICLE
* Syntax
* Examples
* Specifications
* Browser compatibility
* See also
X-FRAME-OPTIONS
The X-Frame-Options HTTP response header can be used to indicate whether or not
a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or
<object>. Sites can use this to avoid click-jacking attacks, by ensuring that
their content is not embedded into other sites.
The added security is provided only if the user accessing the document is using
a browser that supports X-Frame-Options.
Note: The Content-Security-Policy HTTP header has a frame-ancestors directive
which obsoletes this header for supporting browsers.
Header type Response header Forbidden header name no
SYNTAX
There are two possible directives for X-Frame-Options:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
DIRECTIVES
If you specify DENY, not only will the browser attempt to load the page in a
frame fail when loaded from other sites, attempts to do so will fail when loaded
from the same site. On the other hand, if you specify SAMEORIGIN, you can still
use the page in a frame as long as the site including it in a frame is the same
as the one serving the page.
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do
so.
SAMEORIGIN
The page can only be displayed if all ancestor frames are same origin to the
page itself.
ALLOW-FROM origin Deprecated
This is an obsolete directive that no longer works in modern browsers. (Using it
will give the same behavior as omitting the header.) Don't use it. The
Content-Security-Policy HTTP header has a frame-ancestors directive which you
can use instead.
EXAMPLES
Note: Setting X-Frame-Options inside the <meta> element is useless! For
instance, <meta http-equiv="X-Frame-Options" content="deny"> has no effect. Do
not use it! X-Frame-Options works only by setting through the HTTP header, as in
the examples below.
CONFIGURING APACHE
To configure Apache to send the X-Frame-Options header for all pages, add this
to your site's configuration:
Header always set X-Frame-Options "SAMEORIGIN"
To configure Apache to set the X-Frame-Options DENY, add this to your site's
configuration:
Header set X-Frame-Options "DENY"
CONFIGURING NGINX
To configure Nginx to send the X-Frame-Options header, add this either to your
http, server or location configuration:
add_header X-Frame-Options SAMEORIGIN always;
CONFIGURING IIS
To configure IIS to send the X-Frame-Options header, add this to your site's
Web.config file:
<system.webServer>
…
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="SAMEORIGIN" />
</customHeaders>
</httpProtocol>
…
</system.webServer>
Copy to Clipboard
Or see this Microsoft support article on setting this configuration using the
IIS Manager user interface.
CONFIGURING HAPROXY
To configure HAProxy to send the X-Frame-Options header, add this to your
front-end, listen, or backend configuration:
rspadd X-Frame-Options:\ SAMEORIGIN
Alternatively, in newer versions:
http-response set-header X-Frame-Options SAMEORIGIN
CONFIGURING EXPRESS
To configure Express to send the X-Frame-Options header, you can use helmet
which uses frameguard to set the header. Add this to your server configuration:
const helmet = require("helmet");
const app = express();
app.use(helmet.frameguard({ action: "SAMEORIGIN" }));
Copy to Clipboard
Alternatively, you can use frameguard directly:
const frameguard = require("frameguard");
app.use(frameguard({ action: "SAMEORIGIN" }));
Copy to Clipboard
SPECIFICATIONS
SpecificationHTML Standard
# the-x-frame-options-header
BROWSER COMPATIBILITY
Report problems with this compatibility data on GitHub
desktopmobile
Chrome
Edge
Firefox
Opera
Safari
Chrome Android
Firefox for Android
Opera Android
Safari on iOS
Samsung Internet
WebView Android
X-Frame-Options
Full support
Chrome4
Toggle history
Full support
Edge12
Toggle history
Full support
Firefox4
Toggle history
Full support
Opera10.5
Toggle history
Full support
Safari4
Toggle history
Full support
Chrome AndroidYes
Toggle history
Full support
Firefox for AndroidYes
Toggle history
Full support
Opera AndroidYes
Toggle history
Full support
Safari on iOSYes
Toggle history
Full support
Samsung InternetYes
Toggle history
Full support
WebView AndroidYes
Toggle history
ALLOW-FROM
DeprecatedNon-standard
No support
ChromeNo
Toggle history
No support
Edge12 – 18
Toggle history
No support
Firefox18 – 69
Toggle history
No support
OperaNo
Toggle history
No support
SafariNo
Toggle history
No support
Chrome AndroidNo
Toggle history
Full support
Firefox for Android18
Toggle history
Compatibility unknown; please update this.
Opera Android?
Toggle history
No support
Safari on iOSNo
Toggle history
No support
Samsung InternetNo
Toggle history
No support
WebView AndroidNo
Toggle history
SAMEORIGIN
Full support
ChromeYes
footnote
Toggle history
Full support
Edge12
Toggle history
Full support
FirefoxYes
footnote
Toggle history
Full support
OperaYes
footnote
Toggle history
Full support
SafariYes
Toggle history
Full support
Chrome AndroidYes
footnote
Toggle history
Full support
Firefox for AndroidYes
footnote
Toggle history
Full support
Opera AndroidYes
footnote
Toggle history
Compatibility unknown; please update this.
Safari on iOS?
Toggle history
Full support
Samsung InternetYes
Toggle history
Full support
WebView AndroidYes
footnote
Toggle history
LEGEND
Tip: you can click/tap on a cell for more information.
Full supportFull support
No supportNo support
Compatibility unknownCompatibility unknown
Non-standard. Check cross-browser support before using.
Deprecated. Not for use in new websites.
See implementation notes.
The compatibility table on this page is generated from structured data. If you'd
like to contribute to the data, please check out
https://github.com/mdn/browser-compat-data and send us a pull request.
SEE ALSO
* Content-Security-Policy directive frame-ancestors
* ClickJacking Defenses - IEBlog
* Combating ClickJacking with X-Frame-Options - IEInternals
FOUND A CONTENT PROBLEM WITH THIS PAGE?
* Edit the page on GitHub.
* Report the content issue.
* View the source on GitHub.
Want to get more involved? Learn how to contribute.
This page was last modified on Mar 3, 2023 by MDN contributors.
MDN logo
Your blueprint for a better internet.
* MDN on Twitter
* MDN on GitHub
MDN
* About
* Hacks Blog
* Careers
* Advertise with us
SUPPORT
* Product help
* Report an issue
OUR COMMUNITIES
* MDN Community
* MDN Forum
* MDN Chat
DEVELOPERS
* Web Technologies
* Learn Web Development
* MDN Plus
Mozilla logo
* Website Privacy Notice
* Cookies
* Legal
* Community Participation Guidelines
Visit Mozilla Corporation’s not-for-profit parent, the Mozilla Foundation.
Portions of this content are ©1998–2023 by individual mozilla.org contributors.
Content available under a Creative Commons license.