X-Frame-Options is an HTTP response header that controls whether a page can be displayed within <iframe>, <frame>, <embed>, or <object>. This header helps prevent clickjacking attacks. The X-Frame-Options header can be set to one of the following values:
DENY: Indicates that the page cannot be displayed in any frame, including those on the same domain.SAMEORIGIN: Indicates that the page can be displayed in frames on the same domain.ALLOW-FROM uri: Indicates that the page can be displayed in frames from the specified source; however, note that this value is deprecated and not supported by all browsers.
To set X-Frame-Options, configure your web server to add this HTTP response header. Below are examples for common web servers:
Apache
In Apache servers, add one of the following lines to the .htaccess file or the server configuration file:
Header always set X-Frame-Options "DENY"
or
Header always set X-Frame-Options "SAMEORIGIN"
Ensure that mod_headers is enabled; otherwise, the Header directive will not work.
Nginx
For Nginx servers, add the following line to the server or location block in the server configuration file:
add_header X-Frame-Options "DENY";
or
add_header X-Frame-Options "SAMEORIGIN";
IIS (Internet Information Services)
For IIS servers, set the response header by editing the website's web.config file as follows:
<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="DENY" /> </customHeaders> </httpProtocol> </system.webServer> </configuration>
Remember that setting X-Frame-Options directly on the <iframe> tag is invalid. This setting must be sent by the server providing the page content via the response header.
Also note that X-Frame-Options is gradually being replaced by the more modern and flexible frame-ancestors directive within the Content-Security-Policy (CSP) response header. If you need finer-grained control, consider using CSP.