X-Frame-Options, SAMEORIGIN and Clickjacking attacks

One of the best ways to enhance security that defends against Clickjacking is by using X-Frame options

Since 2008, HTTP has had another security header known as X-Frame options. The response header wasn't made as an internet standard but to protect against Clickjacking, a trick used by attackers to get users to click wrong websites disguised as right ones. With Clickjacking, web users can be easily manipulated into downloading malicious content together with malware that puts their personal information at risk of being misused.


Attackers usually hide a malicious page under the one you're visiting, which means that you will be accessing those pages without realizing it. When the HTML element is hidden in an iframe, users will believe that they are using the visible page of the bank website only, thereby giving the attacker enough time to get any information they want through the hidden page. For instance, if you want to visit a banking website, you may use a hidden page that allows the attacker to get all your financial details and transfer it. Clickjacking can occur in various ways, such as cursorjacking, where the cursor change as it is used and likejacking, which is commonly experienced on Facebook platforms. This kind of security attack applies to both user and web servers.

Clickjacking remedies

One of the best ways to enhance security that defends against Clickjacking is by using X-Frame options implemented on the web servers. It is used as part of an HTTP response, which allows a browser to include another page inside the iframe or frame tags. X-frame options security has 3 directives, namely:


With this option, you can block the loading of a page in a frame. This applies to all websites. And it blocks all pages from loading, which means that some of your website's ability to function may be affected by the command.


With this directive, the malicious page is loaded in the frame from the same origin as the page itself. The directive allows the website owner only to attach another page, which makes it the best directive from all the available options. It enables you to maintain the website's optimal functionality while still providing the necessary security against Clickjacking. It's important to note that with this directive, if a browser cannot specify the origin of a page, it will be denied. You, therefore, need to specify your pages' origin distinctively to prevent being denied.

Allow-from uri

With this option, a page will only be loaded in a frame if the domain or origin is specified. As such, you get to choose specific websites that you trust to add pages to the site. Although it gives more room for the functionality of the site, it also comes with more risks. The browser you use has to support the directive; otherwise, you'll not have any security against Clickjacking.


For website owners, sameorigin remains the best security against Clickjacking as it prevents malicious people from using your content against you, especially when they try to remain hidden. However, you can try to use the deny directive, but only if you don't mind limiting your website's functionality. Remember to consider the kind of browser you're using as well since most of them use specific X-frame options directives.

Downtime Happens. Get Notified!

Uptime, SEO and Vulnerability monitors

for your website, totally free