This recipe is designed to empower website owners with effortless control over the embedding of their web pages in iframes. This is achieved by configuring the X-Frame-Options response header, allowing users to choose between two key restriction modes: "deny" and "sameorigin."


  • Enhanced Security: By configuring the X-Frame-Options response header, users improve the security of their web pages. This recipe prevents unauthorized embedding, mitigating the risk of clickjacking and ensuring that their content is displayed only in a controlled and secure manner.
  • Content Control: The ability to restrict iframe embedding provides website owners with greater control over how and where their content is presented. This is particularly valuable for maintaining the integrity of the user experience and brand image.
  • Compliance with Best Practices: Adhering to best practices in web security, the recipe ensures that websites align with industry standards for preventing unauthorized embedding. This not only protects the website but also fosters trust among visitors.

You can choose between two restriction modes:

  • deny prohibits all iframe embedding, ensuring the web page cannot be embedded anywhere.
  • sameorigin permits embedding only on pages with the same origin as the web page, providing a more permissive yet controlled option.

Read more about X-Frame-Options:

How to install this recipe on my website with

Installing this recipe on your website requires the following steps:

  1. Choose the restriction mode: Decide on the appropriate restriction mode for your website:
    • deny: Select this mode to strictly prohibit any iframe embedding of your web pages. This means that even on your website, browsers will refuse to load your pages in iframes.
    • "sameorigin: Choose this mode to allow embedding only on pages with the same origin as your web pages.
  2. Install the recipe: Once the restriction mode is selected, click the "Install on My Website" button below. This action triggers the configuration of the X-Frame-Options response header according to your chosen settings.
  3. Review the newly created rule: examine the rule generated by the recipe to ensure that the X-Frame-Options response header is configured as per your chosen restriction mode. You may want to edit the rule to restrict the conditions that trigger its execution.
  4. Publish the rule: after reviewing and confirming the settings, publish the newly created rules. This final step deploys the draft changes to your website, securing your web pages from unauthorized iframe embedding.