HTTP security headers

X-Frame-Options & Clickjacking Protection

How the X-Frame-Options header (and CSP frame-ancestors) stops other sites from framing your pages, and how WebGuard checks for clickjacking protection.

Last updated June 9, 2026

What it is

X-Frame-Options is a response header that controls whether other websites are allowed to embed your pages inside a frame or iframe. The modern equivalent is the `frame-ancestors` directive in a Content-Security-Policy; either one signals the same intent to the browser.

Why it matters

Without framing protection, an attacker can load your real page invisibly on top of their own and trick a logged-in user into clicking buttons they cannot see, a technique called clickjacking. For anything with authenticated actions (account changes, payments, approvals), this is a meaningful risk that a single header removes.

How WebGuard checks it

WebGuard reads your response headers and reports whether the X-Frame-Options header is present. The check only inspects headers your public site already returns and sends no intrusive requests. Note that a modern CSP frame-ancestors policy provides equivalent protection, so review this finding in that context.

A sensible starting configuration:

X-Frame-Options: DENY

Check this on your own domain

WebGuard reviews this alongside the rest of your external exposure in a single read-only pass. Run a free review, or see everything it covers.