.htaccess Frame Options
.htaccess Frame Options
The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a <frame> or an <iframe>.
Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.
There are three different values for X-Frame-Options. The header field must be set to exactly one of the three values.
| Value | Description |
|---|---|
DENY | A browser receiving content with this header field must not display this content in any frame. |
SAMEORIGIN | A browser receiving content with this header field must not display this content in any frame from a page of different origin than the content itself. |
ALLOW-FROM | A browser receiving content with this header must not display this content in a frame from any page with a top-level browsing context of different origin than the specified origin. |
You should ensure that you send the X-Frame-Options header for all pages that allow a user to make a state-changing operation (e.g: pages that contain one-click purchase links, checkout, or bank-transfer confirmation pages, pages that make permanent configuration changes, etc.).
example
<IfModule mod_headers.c>
Header always set X-Frame-Options "DENY" "expr=%{CONTENT_TYPE} =~ m#text/html#i"
</IfModule>