Last Updated: February 25, 2016
·
31.37K
· marcelo

Prevent rendering your page inside an iframe using X-Frame-Options

Setting the reponse header: X-Frame-Options to DENY or SAMEORIGIN will prevent your page to be displayed in another site and will prevent most clickjacking attacks

DENY <br/>
will prevent your page completely from being displayed in an iframe.</br>
php example:

<?php
header('X-Frame-Options: DENY');
?>

SAMEORIGIN <br/>
will prevent you page from being displayed in other sites (in our case to allow displaying your page in an iframe, "same site" means it must be the same domain with the same protocol).<br/>
php example:

<?php
header('X-Frame-Options: SAMEORIGIN');
?>

Both options are well supported in most of the common web browsers (chrome, firefox, safari, opera, IE8 and above)

There's a third option ALLOW-FROM, but I won't discuss it because it is badly supported in most of the browsers.

Resources: