HTTP Header Field X-Frame-Options
Embed This Widget
Add the script tag and a data attribute to embed this widget.
Embed via iframe for maximum compatibility.
<iframe src="https://ipfyi.com/iframe/entity//" width="420" height="400" frameborder="0" style="border:0;border-radius:10px;max-width:100%" loading="lazy"></iframe>Paste this URL in WordPress, Medium, or any oEmbed-compatible platform.
https://ipfyi.com/entity//Add a dynamic SVG badge to your README or docs.
[](https://ipfyi.com/entity//)Use the native HTML custom element.
D. Ross, T. Gondrom · 2013-10
Abstract
To improve the protection of web applications against clickjacking, this document describes the X-Frame-Options HTTP response header field, which declares a policy communicated from a host to the client browser on whether the browser must not display the transmitted content in frames from other sites.
Why This RFC Matters
RFC 7034 standardized X-Frame-Options, a widely deployed but previously non-standard HTTP header that major browsers had already implemented to combat clickjacking attacks — where an attacker embeds a target site in a transparent iframe to trick users into clicking on concealed elements. By specifying DENY, SAMEORIGIN, and ALLOW-FROM directives, the header gives site operators granular control over framing. Although the more powerful Content Security Policy 'frame-ancestors' directive has largely superseded it, X-Frame-Options remains a recommended defense-in-depth header in every major web security checklist and scanner.