X-Frame-Options or frame-ancestors?

Use frame-ancestors in CSP for fine-grained control. Keep XFO for defense in depth and older user agents that ignore CSP framing rules.

Can I allow one partner to iframe my site?

XFO cannot express allowlists. Use CSP: frame-ancestors https://partner.example.

X-Frame-Options

A header that controls whether your page can be embedded in an iframe.

X-Frame-Options is an older response header with three effective values: DENY (no framing), SAMEORIGIN (only same site), or ALLOW-FROM uri (legacy, poor support). Modern guidance prefers CSP’s frame-ancestors, which is more expressive, but many scanners still look for XFO first.

Why developers care

Without it (and without a restrictive frame-ancestors), an attacker can load your logged-in app in a hidden iframe and trick users into clicking actions they cannot see—classic clickjacking. Banking and admin UIs treat this as mandatory. Setting DENY or SAMEORIGIN is usually a one-line change at the reverse proxy.

Example

X-Frame-Options: SAMEORIGIN

# Modern complement:
Content-Security-Policy: frame-ancestors 'self'

Spec

RFC 7034

Check headers with HeadersFixer →