Your web hosting partners since 2004.
Buy now »

How to protect you website against clickjacking

The example below sends the X-Frame-Options response header with the value DENY, informing browsers not to display the content of the web page in any frame.

This might not be the best setting for everyone. You should read about the other two possible values the X-Frame-Options header field can have: SAMEORIGIN and ALLOW-FROM.


Keep in mind that while you could send the X-Frame-Options header for all of your website's pages, this has the potential downside that it forbids even non-malicious framing of your content (e.g.: when users visit your website using a Google Image Search results page).

Nonetheless, you should ensure that you send the X-Frame-Options header for all pages that allow a user to make a state changing operation (e.g: pages that contain one-click purchase links, checkout or bank-transfer confirmation pages, pages that make permanent configuration changes, etc.).


Add this to your .htaccess file for your Apache website

    <IfModule mod_headers.c>
        Header set X-Frame-Options "DENY"
        # `mod_headers` cannot match based on the content-type, however,
        # the `X-Frame-Options` response header should be send only for
        # HTML documents and not for the other resources.
        <FilesMatch "\.(appcache|atom|bbaw|bmp|crx|css|cur|eot|f4[abpv]|flv|geojson|gif|htc|ico|jpe?g|js|json(ld)?|m4[av]|manifest|map|mp4|oex|og[agv]|opus|otf|pdf|png|rdf|rss|safariextz|svgz?|swf|topojson|tt[cf]|txt|vcard|vcf|vtt|webapp|web[mp]|woff2?|xloc|xml|xpi)$">
            Header unset X-Frame-Options

Also See

Sending the X-Frame-Options header can also protect your website against more than just clickjacking attacks:


Last updated: 2022-08-23

« Go Back

Order now »

I am very happy the way my order are handle, and since 2005 that i am with dealing with phurix, never had bad experience.