LOGBOOK

HELP

Quiz Entry - updated: 2026.06.26

What does X-Frame-Options: deny protect against, and what attack is it the textbook defense for?

It tells the browser "don't let any other site embed me in a <frame>, <iframe>, or <object>" — defeating clickjacking.

Clickjacking: the attacker loads your site (say, your bank's "transfer money" page) in a transparent iframe, overlays a fake "click here to win!" page on top, and tricks the victim into clicking through. The clicks land on the real bank page, with the victim's real cookies, and money moves.

Values:

  • DENY — never let anyone frame this page.
  • SAMEORIGIN — only this same origin can frame it. Good default for most apps.
  • ALLOW-FROM uri — deprecated; replaced by CSP frame-ancestors.

The modern preferred way: Content-Security-Policy: frame-ancestors 'none' (or 'self'). CSP frame-ancestors overrides X-Frame-Options in browsers that support both.

Tip: Any page that performs sensitive actions on click (transfers, deletes, role changes) should be unframable. Login pages too — to block a "fake-page-on-top, real-password-field-underneath" trick.

From Quiz: ISF / Web Application Security Basics | Updated: Jun 26, 2026