X-Frame-Options is a simple HTTP header to define if a website is allowed to be loaded in a frame by browser or not. It provides protection against click jacking attacks where attacker loads the legitimate website either from a malicious website or by embedding HTML frame code in side another website.

This header is depreciated and replaced by content-security-policy. Although it was never standardized, but since this is still supported by majority of the browsers and still widely being used, it is too soon to forget about it. The new header content-security-policy is not yet that popular, however it is still being adopted as security best practice against click jacking attacks. We will be discussing about it in a later article.

X-Frame-Options takes following directives:

Deny: It specifies that the page cannot be loaded in frame.

Same origin: It Specifies, browser can load the page in frame if the request is originating from the same parent domain.

Allow-from <uri>: Same as above except it for other domains. Basically it allows browser to load the page if the request is from the allowed domains. Be careful with this as its a new feature the support of this can vary according to the browser capability.

Limitations:

  1. Per page definition is required, no option to define it for a domain or for multiple-domains
  2. Support for allow-from is dicey and depends on browser types
  3. Multiple options not supported
  4. Problems with nested frames
  5. Depreciated and not good for website use for future
  6. Be aware of proxy header stripping

Following the the reference links for this articals, be sure to visit them for further details about the header:

Refferance links:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
https://www.keycdn.com/blog/x-frame-options

Interesting reads:https://en.wikipedia.org/wiki/Clickjacking

Dont miss out on an awesome OWASP cheat sheet on click jacking for more information on X-frame-options, content-security-policy and click jacking:

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md