What is X Frame Option header?
The X-Frame-Options HTTP header is used to guide the browser which pages of the site can be displayed in <frame> , <iframe> , and <embed> . This technology does not allow loading website's content in frames on third-party resources, thereby protecting it from clickjacking attacks.Basic directives
allow-from - Allows downloads from specified URLs only, but this directive is no longer supported in some browsers. Better use the Content-Security-Policy (CSP) header along with the frame-ancestors directive. Example:
add_header Content-Security-Policy "frame-ancestors 'self' https://domain1.com/ https://domain2.com/ https://domain3.com/";
sameorigin - The page can only be displayed if all parent frames are on the same domain.
deny - the page cannot be displayed in a frame, no matter what site the request comes from.
Using Referrer-Policy in nginx.conf (NGINX):
add_header X-Frame-Options SAMEORIGIN;
Using Referrer-Policy in httpd.conf (Apache):
Header always set X-Frame-Options "SAMEORIGIN"
Using Referrer-Policy in .htaccess:
<ifModule mod_headers.c>
Header set X-Frame-Options "SAMEORIGIN"
</ifModule>