This recipe helps you control if your website can be embedded in a third-party page via an "iframe". By configuring the X-Frame-Options
HTTP response header, you can forbid this practice to protect yourself against attacks like "clickjacking".
Why is this important?
- Protection against clickjacking: This is the main benefit. By forbidding the embedding of your pages, you prevent an attacker from overlaying invisible elements on top of your site to trick a user into clicking malicious links without their knowledge.
- Control over your content: You decide where and how your pages can be displayed. This guarantees the integrity of your user experience and your brand image.
- Respect for best practices: Using this security header is a recommended standard practice for all websites. This reinforces your visitors' trust.
The two restriction modes
You can choose between two restriction policies:
deny
: Forbids all iframe embedding. Your page cannot be displayed in an iframe anywhere.sameorigin
: Allows embedding only if the parent page has the same origin (same domain name) as your page.
To learn more
X-Frame-Options
on the MDN site: https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/X-Frame-Options- Reference standard (RFC 7034): https://datatracker.ietf.org/doc/html/rfc7034
We offer several other recipes to improve the security of your website, feel free to take a look!
How to install this recipe on my website with redirection.io?
Installing this recipe on your website requires the following steps:
- Choose the restriction mode: Select the mode that suits your site.
- deny: Forbids all embedding of your pages in an iframe, including on your own site. This is the strictest option.
- sameorigin: Allows embedding only on pages of your own site (same origin).
- Install the recipe: Once you have made your choice, click the install button. A rule configuring the
X-Frame-Options
header will be created for you in "draft" mode. - Review the rule: Examine the generated rule to ensure it meets your expectations. For example, you can modify the conditions that trigger its execution.
- Publish the rule: Once the rule is published, your pages will be protected against unauthorized iframe embedding a few moments later.