Should I use X-Frame-Options or CSP frame-ancestors?

Use both for maximum compatibility. X-Frame-Options is supported by older browsers. CSP frame-ancestors is more flexible and takes precedence over X-Frame-Options in modern browsers when both are present. For new deployments, prefer CSP frame-ancestors.

Why is ALLOW-FROM deprecated?

ALLOW-FROM is not supported in Chrome or Firefox — they simply ignore it. Use the CSP frame-ancestors directive with a specific origin instead, which is widely supported across all modern browsers.

What is the difference between DENY and SAMEORIGIN?

DENY blocks all framing regardless of origin. SAMEORIGIN allows the page to be framed only by pages from the same scheme, host, and port. For most sites, DENY is the safest default unless you need self-embedding.

Do I need to set both headers?

For best browser coverage, set both. Modern browsers respect CSP frame-ancestors and ignore X-Frame-Options when CSP is present. Older browsers only understand X-Frame-Options, so setting both ensures broad protection.

X-Frame-Options Generator

Name: X-Frame-Options Generator
Availability: InStock
Author: Nham Vu

Generate X-Frame-Options and CSP frame-ancestors headers to prevent clickjacking. Get ready-to-paste server config snippets for Nginx, Apache, and IIS.

Framing Policy

DENY Block all framing — no site can embed this page in an iframe. SAMEORIGIN Allow framing only from the same origin (scheme + host + port). ALLOW-FROM Allow framing from a specific URL only. Deprecated — not supported in Chrome/Firefox.

Deprecation warning: X-Frame-Options: ALLOW-FROM is not supported by Chrome or Firefox and is removed from the specification. Use the CSP frame-ancestors directive shown below instead. The generated output includes the modern CSP equivalent.

Generated Headers

X-Frame-Options

CSP frame-ancestors (recommended)

Server Configuration Snippets

What is Clickjacking?

Clickjacking (UI redress attack) tricks users into clicking elements they cannot see. An attacker embeds your site in a transparent iframe placed over a decoy page. When the user thinks they are clicking a harmless button, they are actually interacting with your site — transferring money, changing settings, or approving permissions without their knowledge.

Setting X-Frame-Options or Content-Security-Policy: frame-ancestors instructs browsers to refuse to render your page inside an iframe unless it comes from an allowed origin.

X-Frame-Options

Legacy HTTP header. Supported by all browsers including IE. Does not support multiple origins. ALLOW-FROM is deprecated and unsupported in Chrome/Firefox.

CSP frame-ancestors

Modern standard. Supports multiple origins, wildcards, and nonces. Takes precedence over X-Frame-Options in modern browsers. Recommended for all new deployments.

Copied!

Summary