Where developers come to connect, share, build and be inspired.


Prevent rendering your page inside an iframe using X-Frame-Options


Setting the reponse header: X-Frame-Options to DENY or SAMEORIGIN will prevent your page to be displayed in another site and will prevent most clickjacking attacks

will prevent your page completely from being displayed in an iframe.
php example:

header('X-Frame-Options: DENY');

will prevent you page from being displayed in other sites (in our case to allow displaying your page in an iframe, "same site" means it must be the same domain with the same protocol).
php example:

header('X-Frame-Options: SAMEORIGIN');

Both options are well supported in most of the common web browsers (chrome, firefox, safari, opera, IE8 and above)

There's a third option ALLOW-FROM, but I won't discuss it because it is badly supported in most of the browsers.


Add a comment