Where developers come to connect, share, build and be inspired.

4

Prevent rendering your page inside an iframe using X-Frame-Options

9315 views


Setting the reponse header: X-Frame-Options to DENY or SAMEORIGIN will prevent your page to be displayed in another site and will prevent most clickjacking attacks

DENY
will prevent your page completely from being displayed in an iframe.
php example:

<?php
header('X-Frame-Options: DENY');
?>

SAMEORIGIN
will prevent you page from being displayed in other sites (in our case to allow displaying your page in an iframe, "same site" means it must be the same domain with the same protocol).
php example:

<?php
header('X-Frame-Options: SAMEORIGIN');
?>

Both options are well supported in most of the common web browsers (chrome, firefox, safari, opera, IE8 and above)

There's a third option ALLOW-FROM, but I won't discuss it because it is badly supported in most of the browsers.

Resources:

Add a comment