X Frame Options

In this lesson, we'll learn about Clickjacking attacks and the dangers of 3rd-party websites using your iFrames on your website to steal information. Then, we'll learn how X-Frame Options can mitigate these attacks.

The X-Frame-Options HTTP header was introduced to mitigate an attack called Clickjacking. Clickjacking allows an attacker to disguise page elements such as buttons and text inputs by hiding their view behind real web pages which render on the screen using an iframe HTML element or similar objects.

Deprecation Notice: The X-Frame-Options header was never standardized as part of an official specification but many popular browsers today still support it. Its successor is the Content-Security-Policy (CSP) header which will be covered in the next section. Generally, you should focus on implementing CSP for newly built web applications.

Get hands-on with 1200+ tech skills courses.