The header like X-Frame-Options serves to prevent the page from being opened in a frame, or iframe. In this way you can prevent clickjacking attacks on your website.
For example, if the website https://atlanticadigital.net contains the X-FRAME-OPTIONS header with the value Allow-From https://www.facebook.com, then the website https://atlanticadigital.net can only be “framed” from the domain www.facebook.com.
Another option would be to always deny framing (DENY), or tell it that it can only be framed from the same origin (SAME-ORIGIN).
These are the values it accepts:
DENY
The page cannot be displayed in a frame/iframe.
SAMEORIGIN
It can only be displayed in a frame/iframe from its own domain.
ALLOW-FROM uri
It can only be displayed in a frame/iframe from the indicated urls.
If we use Wordpress as a CMS, the best way to add this header would be by adding a few lines of code to the functions.php files of the WordPress theme we are using.
This file is located in the path wp-content/themes/THEME_NAME, where THEME_NAME is the name of the theme that we have activated.
First of all, we will make a backup of the functions.php file. Then we edit it and add the following code at the end of it:
add_action( 'send_headers', 'add_header_xframeoptions' );
function add_header_xframeoptions() {
header( 'X-Frame-Options: SAMEORIGIN' );
}
There are other ways to add this header. If we have Apache as a web server we can use the .htaccess file, adding the code indicated below:
Header always append X-Frame-Options SAMEORIGIN
If you are using Nginx, you would have to enter the following code in the Nginx configuration file:
add_header X-Frame-Options SAMEORIGIN;
You can find more technical information on the Mozilla Developer Network.
If we want to add other security headers based on changes in the functions.php file, we can do it using a single function, instead of adding each header in a different function, although the operation is similar.
In the following example code, which should be placed at the end of the functions.php file, the X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers are added:
add_action( 'send_headers', 'add_header_security' );
function add_header_security() {
header( 'X-Content-Type-Options: nosniff' );
header( 'X-Frame-Options: SAMEORIGIN' );
header( 'X-XSS-Protection: 1;mode=block' );
}
In the event that we want to add the headers in the .htaccess file, the lines to add would look like this:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" env=HTTPS
Header always set Content-Security-Policy "upgrade-insecure-requests"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Expect-CT "max-age=7776000, enforce"
Header always set Referrer-Policy: "no-referrer-when-downgrade"
Header set X-Frame-Options SAMEORIGIN