Skip to main content
All SEO checks
Securityinfo

Missing X-Frame-Options header

What this check looks for

Checks whether the server sends an X-Frame-Options header (or an equivalent frame-ancestors directive in CSP) to control whether the page can be embedded in a frame.

Why it matters

X-Frame-Options prevents your pages from being loaded inside an iframe on another domain, which stops clickjacking attacks where an attacker overlays your UI to trick users into clicking. It's a low-risk header that most security scanners and audits expect to see. The modern equivalent is the CSP frame-ancestors directive, and you can safely send both.

How to fix it

nginx
# Block embedding on other origins (legacy header)
add_header X-Frame-Options "SAMEORIGIN" always;

# Modern equivalent via CSP
add_header Content-Security-Policy "frame-ancestors 'self'" always;

Go deeper

Check your site for this and 120+ other issues

Analyze any URL free