X-Frame-Options is an HTTP response header that helps protect your website from clickjacking attacks. Clickjacking occurs when a malicious site embeds your website within an invisible iframe, tricking users into interacting with your site without realizing it.
By using the X-Frame-Options header, you can control whether your site can be embedded in an iframe and if so, under what circumstances.
⚙️ Possible X-Frame-Options Values
DENY – The page cannot be displayed in an iframe at all, even on your own site.
SAME ORIGIN – The page can only be displayed in an iframe on the same origin (your own domain).
ALLOW – The page can be displayed in an iframe only on the specified URL (note: limited browser support).
🌐 Why X-Frame-Options is Important
Protects users – Prevents attackers from tricking users into clicking hidden buttons or links.
Improves security – Ensures your website content is only embedded where you intend.
Supports compliance – Helps meet web security best practices for sensitive websites.
⚙️ Adjusting X-Frame-Options in ShowOff
You can modify this setting in the CMS to control whether your site can be loaded from within another webpage (for example, in an iframe):
Go to Settings > Site Settings.
Select the Security Settings tab.
Adjust the X-Frame-Options (Header) dropdown to the relevant option (DENY, SAMEORIGIN, or ALLOW-FROM).
This setting determines whether your site can be embedded in another webpage and is applied at the HTTP header level.
📌 Key Things to Remember
Most modern browsers respect X-Frame-Options, but ALLOW has limited support.
For more advanced control, consider using Content Security Policy (CSP) frame-ancestors, which offers broader browser support.
On ASP-built websites, X-Frame-Options is configured automatically for security by default, so changes are only required if you have a specific embedding requirement.
Comments
0 comments
Please sign in to leave a comment.