X-Frame-Options Security Header

The header like X-Frame-Options serves to prevent the page from being opened in a frame, or iframe. In this way you can prevent clickjacking attacks on your website.

For example, if the website contains the X-FRAME-OPTIONS header with the value Allow-From, then the website can only be “framed” from the domain

Another option would be to always deny framing (DENY), or tell it that it can only be framed from the same origin (SAME-ORIGIN).

These are the values ​​it accepts:


The page cannot be displayed in a frame/iframe.


It can only be displayed in a frame/iframe from its own domain.


It can only be displayed in a frame/iframe from the indicated urls.

If we use Wordpress as a CMS, the best way to add this header would be by adding a few lines of code to the functions.php files of the WordPress theme we are using.

This file is located in the path wp-content/themes/THEME_NAME, where THEME_NAME is the name of the theme that we have activated.

First of all, we will make a backup of the functions.php file. Then we edit it and add the following code at the end of it:

add_action( 'send_headers', 'add_header_xframeoptions' );
function add_header_xframeoptions() {
header( 'X-Frame-Options: SAMEORIGIN' );

There are other ways to add this header. If we have Apache as a web server we can use the .htaccess file, adding the code indicated below:

Header always append X-Frame-Options SAMEORIGIN

If you are using Nginx, you would have to enter the following code in the Nginx configuration file:

add_header X-Frame-Options SAMEORIGIN;

You can find more technical information on the Mozilla Developer Network.

If we want to add other security headers based on changes in the functions.php file, we can do it using a single function, instead of adding each header in a different function, although the operation is similar.

In the following example code, which should be placed at the end of the functions.php file, the X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers are added:

add_action( 'send_headers', 'add_header_security' );
function add_header_security() {
header( 'X-Content-Type-Options: nosniff' );
header( 'X-Frame-Options: SAMEORIGIN' );
header( 'X-XSS-Protection: 1;mode=block' );

In the event that we want to add the headers in the .htaccess file, the lines to add would look like this:

Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header set X-Frame-Options SAMEORIGIN

  • 0 Users Found This Useful
Was this answer helpful?

Related Articles

Prestashop update

Update Prestashop To update Prestashop to the new version, the following steps will be carried...

Viruses on the web. Help!!! What are they and how do we eliminate them?

Lately, cases of websites that are infected by viruses or malicious code, without the webmaster...

How can I manage the domain?

For everything related to the administration of your domain, you must use the CPANEL control...

What is a subdomain?

Subdomains are extensions that we can use with our domain, for example, suppose that our domain...

How to publish my website?

To upload the content of your website to the server you can use any FTP client such as FileZilla,...