Security Server response header - X-Frame-Option

What is X Frame Option header?​

The X-Frame-Options HTTP header is used to guide the browser which pages of the site can be displayed in <frame> , <iframe> , and <embed> . This technology does not allow loading website's content in frames on third-party resources, thereby protecting it from clickjacking attacks.

Basic directives​

allow-from - Allows downloads from specified URLs only, but this directive is no longer supported in some browsers. Better use the Content-Security-Policy (CSP) header along with the frame-ancestors directive. Example:​
add_header Content-Security-Policy "frame-ancestors 'self'";
sameorigin - The page can only be displayed if all parent frames are on the same domain.​
deny - the page cannot be displayed in a frame, no matter what site the request comes from.​

Using Referrer-Policy in nginx.conf (NGINX):
add_header X-Frame-Options SAMEORIGIN;

Using Referrer-Policy in httpd.conf (Apache):
Header always set X-Frame-Options "SAMEORIGIN"

Using Referrer-Policy in .htaccess:
<ifModule mod_headers.c>
    Header set X-Frame-Options "SAMEORIGIN"