The X-Frame-Options is an HTTP response header that tells a browser whether it is allowed to render a page in a `<frame>`, `<iframe>`, `<embed>`, or `<object>`. A missing X-Frame-Options header is a security vulnerability because it allows other websites to embed your content on their pages. This can be used for malicious purposes, such as “clickjacking,” where an attacker tricks a user into clicking on a hidden element on your site.

Think of your website as a valuable painting. Without an X-Frame-Options header, anyone can put your painting in their own frame and display it on their wall, potentially tricking people into thinking it’s theirs or placing a fake donation box in front of it. This header is the equivalent of a “Do Not Frame” notice. For a broader look at website security, see our guide on the security category.

An illustration of a website being trapped inside an iframe, symbolizing a clickjacking attack.

The SEO Impact of Preventing Clickjacking

While the X-Frame-Options header is not a direct ranking factor, it is a critical part of a secure web presence, which is essential for SEO. As Ahrefs’ guide to website security makes clear, a hacked or compromised site can be severely penalized.

  • Protects Brand Reputation: Preventing clickjacking protects your users and your brand from being associated with malicious activities.
  • Builds User Trust: A secure website is a trustworthy website. Users are more likely to engage with and convert on a site that they know is safe.

A Step-by-Step Guide to Implementing X-Frame-Options

Implementing this header is a simple, server-level change that provides significant protection. For a deep dive into the technical details, the MDN Web Docs are an excellent resource.

Example: Implementing X-Frame-Options in `.htaccess`

<IfModule mod_headers.c>
 Header always set X-Frame-Options "SAMEORIGIN"
</IfModule>

For more on this topic, see our guide on on-page SEO.

Frequently Asked Questions

What is clickjacking?

Clickjacking is a malicious technique where an attacker tricks a user into clicking on something different from what the user perceives. They do this by displaying an invisible page or element in an iframe over the visible page. The X-Frame-Options header is a primary defense against this type of attack.

What about the ‘ALLOW-FROM’ directive?

The `ALLOW-FROM uri` directive was an option that allowed you to specify a single, trusted domain that could frame your content. However, it is now obsolete and is not supported by most modern browsers. The `frame-ancestors` directive in a Content-Security-Policy is the modern, more flexible replacement.

How can I check if my site has an X-Frame-Options header?

You can use your browser’s developer tools (Network tab) to inspect the response headers for your page. For a more comprehensive and automated check, you can use a free online tool like Security Headers by Probely or a website crawler like Creeper.

Is your site protected from clickjacking? Start your Creeper audit today to check for the X-Frame-Options header and other security best practices.