Product SiteDocumentation Site

3.2.6. X-Frame-Options

X-Frame-Options header can be used by server to indicate that page returned shall not be rendered inside <frame> and <iframe> tags and sites can use this as a defense from clickjacking attacks.
DENY
Content of the page shall not be displayed in a frame regardless of the origin of the page attempting to do so.
SAMEORIGIN
Content of the page can be embedded only in a page with the same origin as the page itself.
ALLOW-FROM
Content of the page can be embedded only in a page with top level origin specified by this option.
The header returned from server allowing content to be embedded within https://example.com/ looks like this
X-Frame-Options: ALLOW-FROM https://example.com/

3.2.6.1. References