Home / Tools / Set X-Frame-Options header to prevent clickjacking
Security Headers · Scan Check Guide

Set X-Frame-Options header to prevent clickjacking

10 min Impact: high Effort: medium ✓ Scan-verified — no manual checkbox

X-Frame-Options tells browsers whether your pages are allowed to be loaded inside an <iframe> on someone else's site — without it, an attacker can embed your real login page invisibly inside their own page and trick users into clicking things they don't intend to (clickjacking).

Without this header, attackers can embed your site in a hidden iframe and trick users into clicking invisible buttons — credential theft and unwanted actions (clickjacking).

How to fix it

  1. 1
    Add the header
    Set X-Frame-Options: SAMEORIGIN in your server config, CDN, or a middleware — this allows framing only from your own domain.
  2. 2
    Use DENY instead if you never frame your own pages
    DENY is stricter and fine unless you deliberately embed your own pages in iframes elsewhere on your site.
  3. 3
    Consider the modern CSP equivalent too
    frame-ancestors in your Content Security Policy does the same job with more flexibility, and is checked by modern browsers even where X-Frame-Options is ignored.

Common mistakes

How you'll know it's done

The response header X-Frame-Options: SAMEORIGIN (or DENY) is present on your pages.

Tools that help

H.I.V.E. checks this automatically

Fix it, then re-scan — the check confirms itself. No manual checkbox, the scan is the truth.

Run this check in H.I.V.E. →