All SEO checks
Securityinfo
Missing X-Frame-Options header
What this check looks for
Checks whether the server sends an X-Frame-Options header (or an equivalent frame-ancestors directive in CSP) to control whether the page can be embedded in a frame.
Why it matters
X-Frame-Options prevents your pages from being loaded inside an iframe on another domain, which stops clickjacking attacks where an attacker overlays your UI to trick users into clicking. It's a low-risk header that most security scanners and audits expect to see. The modern equivalent is the CSP frame-ancestors directive, and you can safely send both.
How to fix it
nginx
# Block embedding on other origins (legacy header)
add_header X-Frame-Options "SAMEORIGIN" always;
# Modern equivalent via CSP
add_header Content-Security-Policy "frame-ancestors 'self'" always;Go deeper
Check your site for this and 120+ other issues
Analyze any URL free