What is X-Frame Options?

X-Frame Options is a security header that allows the website administrator to determine whether the site can be loaded in an iFrame.

iFrames are commonly used to execute click-jacking attacks. During these attacks a malicious site loads the affected site in an iFrame, tricking site visitors to unintentionally click on buttons or links on the malicious site. The intention could be to download malware, to harvest likes for social pages or to gain access to credentials, personal data, etc.


There are two possible values, with there separate use cases:

DENY: Denies the site form being loaded in an iFrame at all. This is the recommended if iFrames are not used.
SAMEORIGIN: Only allows (elements of) the site to be loaded on the same domain. This is recommended if you load elements of your own site in an iFrame, within the domain itself.

If you want your site to be loaded in in iFrame on a different domain, do not set the X-Frame-Options header!

Really Simple SSL Pro allows you to easily configure both the X-Frame-Options header and the Content-Security-Policy with frame-ancestors directive.

Note: This header is being replaced by the frame-ancestors directive of the Content-Security-Policy. Make sure the frame-ancestors and X-Frame-Options policies match. If they don’t, browsers will use the most restrictive setting. Example: If you set frame-ancestors to allow embedding on a third party site but have X-Frame-Options set to SAMEORIGIN, embedding will fail.

See this article for information on the frame-ancestors directive

Lightweight plugin, Heavyweight Security features. Get Pro and leverage your SSL certificate for WordPress security standards.