SecurityMedium

Missing X-Frame-Options header

The X-Frame-Options header is absent. Your site can be embedded in an iframe on any other site.

Why it matters

Clickjacking attacks overlay your site in a transparent iframe to trick your users into performing unwanted actions.

How to fix

  1. 1

    Via .htaccess

    apache
    <IfModule mod_headers.c>
  Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>
  2. 2

    Via Nginx

    nginx
    add_header X-Frame-Options "SAMEORIGIN" always;
  3. 3

    Modern alternative: Content-Security-Policy frame-ancestors

    The CSP frame-ancestors directive replaces X-Frame-Options on modern browsers and offers more flexibility to allow specific domains.

    apache
    Header always set Content-Security-Policy "frame-ancestors 'self';"

Related articles

SecurityContent Security Policy (CSP) missing on WordPressSecurityMissing X-Content-Type-Options header

Ready to fix this issue on your site?

Audit my site for free →