• Skip to main content
  • Skip to primary sidebar

Technipages

Tutorials and fixes for smartphone, gadget, and computer problems

  • Topics
    • Android
    • Browsers
    • Gaming
    • Hardware
    • Internet
    • iPhone
    • Linux
    • macOS
    • Office
    • Reviews
    • Software
    • Windows
    • Definitions
  • Product Reviews
  • Downloads
  • About
What Does X-Frame-Options Do?

What Does X-Frame-Options Do?

October 30, 2020 by Mel Hawthorne 1 Comment

HTTP headers are a type of metadata sent with web requests and responses, the information they provide can be important or simply be informational. Security headers are a subset of the “Response headers” that can be set by the web server, they are one of the features that can help address a number of security issues. One of the security headers, called “X-Frame-Options” is designed to prevent click-jacking attacks.

Click-Jacking

Click-jacking, also known as “User Interface Redressing”, is an issue where an attacker is able to trick a user into clicking on something that isn’t what it appears to be. For websites, this is done by overlaying a transparent website over a visible one. In this type of attack the user thinks that they’re interacting with the visible website but in reality, they’re unwittingly affecting the transparent website.

For example, an attacker could set up a website that makes it likely that a user clicks on a button, perhaps a play button for a video. In a transparent layer over the top of that webpage is a second webpage, such as the webpage to delete your Facebook account with the “Delete account” button positioned directly over the play button. In this scenario when the user tries to click play, they actually click the button to delete their Facebook account.

Click-jacking relies on the ability to display the target website over the top of the dummy website, through a process called “Framing”. Framing uses the HTML element “iframe” which can load an entire separate webpage within another page. By loading the target webpage in a frame, positioning it carefully, and turning it transparent, the victim will be completely unaware that they’re being tricked into performing an action.

X-Frame-Options

The HTTP response header “X-Frame-Options” is an optional feature that can be set for websites in the server configuration files. X-Frame-Options prevents webpages from being loaded in iframes, which prevents it from being overlaid over another website. The victim’s browser actually applies the security control, this is because all browsers respect the X-Frame-Options header and will refuse to load any webpages with the header set in a frame.

The header allows the website owner to configure how restrictive the setting is. There are two settings: “X-Frame-Options: DENY” prevents a protected webpage from ever being framed. The other option, “X-Frame-Options: SAMEORIGIN”, allows protected webpages to be framed, only if the page loading the frame has the same domain name. In this case, you can load a frame on your own website but no one else can load it on theirs.

You Might Also Like

  • Google Chrome: Bypass "Blocked a frame with origin from accessing a cross-origin frame" Error
    Google Chrome: Bypass "Blocked a frame with origin from…
  • What Does X-Content-Type-Options Do?
    What Does X-Content-Type-Options Do?
  • Does the Galaxy Z Fold 5 Have Expandable Memory?
    Does the Galaxy Z Fold 5 Have Expandable Memory?
  • How Does Snap Score Work Learn The Secrets of Snapchat Score
    How Does Snap Score Work: Learn The Secrets of Snapchat…
  • How Long Does iPhone Update Take for iOS 16.2
    How Long Does iPhone Update Take for iOS 16.2: An Estimate…
  • Does Facebook Automatically Delete Deactivated Accounts Learn the Truth
    Does Facebook Automatically Delete Deactivated Accounts?…

Filed Under: Internet

Reader Interactions

Comments

  1. Jhen says

    January 9, 2023 at 11:05 pm

    Hi Mitch, I have to tell you that I have been researching this for about 3 hours because I have an unanswered question in my mind, you cleared it up for me with this:

    “…browser actually applies the security control, this is because all browsers respect the X-Frame-Options header and will refuse to load any webpages with the header set in a frame.”

    But another question crossed my mind since the browser is the one who decides, is it possible that there are browsers that will show the Iframe anyway because they ignore the header?

    Thank you very much in advance for the answer you gave me without knowing it, it helped me a lot. I am a web developer trying to add this to my website :)

Did this help? Let us know!

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Primary Sidebar

Recent Posts

  • How to Send HD Pictures and Videos on WhatsApp
  • How to Share Files Using Google Nearby Share
  • Android Battery Will Not Charge Fix
  • Turning on Triple Touch Zoom on Android
  • How to Connect Outlook 2023 to Gmail
  • Netflix: Change Password
  • Step-by-Step Guide: How to Use WhatsApp on Your Computer
  • Android: Enable or Disable Background Data

Who’s Behind Technipages?

Baby and Daddy My name is Mitch Bartlett. I've been working in technology for over 20 years in a wide range of tech jobs from Tech Support to Software Testing. I started this site as a technical guide for myself and it has grown into what I hope is a useful reference for all.

© Copyright 2023 Guiding Tech Media · All Rights Reserved · Privacy