Welcome to WebmasterWorld Guest from

Forum Moderators: phranque

Message Too Old, No Replies

X-Frame-Options something web developers should know

3:21 am on Nov 11, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member swa66 is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 7, 2003
votes: 0


Originally invented by Microsoft for IE8, but supported by a number of browsers, this idea might have more uses than what it was intended for originally.
Let's have a bit deeper a look at what it is and how we can use it.

What is it good for?

Originally is was intended as a way to prevent clickjacking.

To understand clickjacking, let's first look at Cross Site Request Forgery (CSRF). CSRF is abusing the ability of browsers to interact with multiple servers at the same time. So you're logged in into your bank and the attacker tricks you in clicking on a link that send him some money.
good websites protect themselves from this by e.g. using request tokens to make sure the request being received is intentional.
Many websites are vulnerable to various forms of CSRF, some even argue the majority of websites that interact with users are vulnerable somewhere.

Clickjacking is a way to trick visitors into interacting with a victim website without the user knowing he's doing it by e.g. overlaying other things such as images over the elements.

Framebusting is a common technique to prevent clickjacking, sadly framebusting can be defeated.

X-Frame-Options was introduced in a beta release of IE8 as an alternative.

So what is X-Frame-Options?

It's a HTTP response header.


It can be used to prevent framing of the pages that are delivered to browsers in the browser: the browser simply refuses to render the page in a frame if the header is present dependign on the set value.

Values are

  • DENY: Stops all framing
  • SAMEORIGIN: Stops framing except for the same website that delivered the page itself. (Allowing http://www.example.com/ to frame pages served from http://www.example.com/ with X-Frame-Options set to this value)

What does it not do?

It doesn't protect your web site from being a victim from clickjacking as by far not all browsers support it. E.g. Microsoft neglected to backport it to still widely popular IE6 and IE7 browsers.

So you still need all the other measures too.

Note that it's something that doesn't need javascript, has little odds of being defeated by smart attackers as long as the browser supports it, so it's not without merit.

Alternative to framebusting ?

Since the X-Frame-Options is in the security world an additional measure somewhat similar to where framebustng could be used, isn't it also an alternative to framebusting in other web master areas ?

Sure it is: just remember that instead of taking over the entire tab, the browser will not render it at all. And your regular framebusting javascript has no chance as it'll not get loaded if the browser support this.

Browsers that support it

  • IE8
  • Safari
  • Chrome
  • Firefox with the NoScript addon

It's not backported to IE6 and IE7

How to send out the header using IIS

Open the Internet Service Manager
HTTP Headers tab
in the Custom Headers section: Add...

Custom Header Name: X-Frame-Options
Custom Header Value: "DENY" or "SAMEORIGIN" (without the quotes).

Can anybody confirm/correct this (I don't run IIS) ?

How to send out the header using apache

Add this to your httpd.conf:

Header always append X-Frame-Options SAMEORIGIN

Other ways to set X-Frame-Options

If you generate you page on the server and can change the HTTP headers, you can add it from your server side scripts.
PHP, JavaEE, .NET etc all can set it there.


Note this isn't new, it's just something that I found a bit under-covered out here.

12:40 pm on Nov 11, 2009 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member httpwebwitch is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Aug 29, 2003
votes: 0

A truly useful addition to HTTP. Anyone involved in web security should learn about this!

How to send out the header using PHP:
header("X-Frame-Options: SAMEORIGIN");

9:18 am on Nov 15, 2009 (gmt 0)

Preferred Member

10+ Year Member

joined:June 16, 2003
posts: 615
votes: 0

Great info. Tried this with II6 but doesn't seem to work.
3:01 pm on Nov 15, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Dec 27, 2004
votes: 73

IIS6, Added the header with Value DENY:

This content cannot be displayed in a frame
To protect your security, the publisher of this content does not allow it to be displayed in a frame. :)
Click here to open this content in a new window
Safari 4.0.3 Get a blank Screen :)
Opera 9.64 Displays the content :(
IE7 Displays the content :(
IE8 Blocks the content ! :)

Thanks for the heads up.

7:18 pm on Nov 15, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 5, 2005
posts: 2041
votes: 1

Apache (1.3.x) variations on a theme... A-OK in .htaccess:

Header append X-FRAME-OPTIONS "DENY"

8:49 am on Nov 16, 2009 (gmt 0)

Senior Member from ES 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:July 24, 2002
votes: 2

then this would also block google image search top frame?
2:59 pm on Nov 16, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member kaled is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Mar 2, 2003
votes: 0

This is not a subject I have ever considered, however, wouldn't this be unnecessary if browsers refused to display framed contents in a secure page unless the security certificate matched that of the parent frame (and ajax was similarly blocked). I guess the reverse would also have to be blocked (i.e. displaying a secure page within a standard page).

Perhaps I am missing something!



Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members