What is the X-Frame-Options header?

X-Frame-Options is a security header that tells browsers whether other websites are allowed to load your pages inside a frame on their own site. It is the classic defence against clickjacking:

  • DENY — no site, including your own, may embed the page in a frame.
  • SAMEORIGIN — only pages from your own domain may frame it; this is the safe default for most small business sites.
  • The attack it stops — without it, a scammer can load your real login or checkout page invisibly over their own and trick a visitor into clicking it.
  • Largely superseded — the frame-ancestors rule inside a Content-Security-Policy does the same job with more control, but X-Frame-Options still covers older browsers.

It is a single line in your server or hosting control panel and breaks nothing on a normal site. If your pages have no reason to be embedded elsewhere, set it to SAMEORIGIN and move on.