Skip to main content
Vantyris

Headers

X-Frame-Options and frame-ancestors: the anti-clickjacking header.

Published 2026-05-19 · Last updated 2026-05-19 · Vantyris editorial

If your site doesn't send the `X-Frame-Options` header (or its modern equivalent, `Content-Security-Policy: frame-ancestors`), any other website can embed yours inside an invisible iframe and trick visitors into clicking buttons they didn't mean to click. That's clickjacking. The fix is one header, takes 5 minutes, and breaks nothing for almost every small business site.

What this means for your business

How to fix

Add either `X-Frame-Options: DENY` or `Content-Security-Policy: frame-ancestors 'none'` to your site's response headers. If you use CSP already, just add `frame-ancestors` to your existing policy.

  1. Pick your header. If you have no CSP at all, the simplest is to add `X-Frame-Options: DENY`. If you already have CSP, add `frame-ancestors 'none'` to the existing policy. Modern browsers prefer `frame-ancestors`; old IE only reads `X-Frame-Options`. Some sites send both.
  2. Add it to your host's response headers. Most hosts let you add custom headers in the SSL/security section. Cloudflare: Rules → Transform Rules → Modify Response Header. Apache: in `.htaccess`, `Header always set X-Frame-Options DENY`. Nginx: `add_header X-Frame-Options DENY always;`.
  3. Test it. Open Chrome DevTools → Network → click any request to your domain → check Response Headers. You should see `x-frame-options: DENY` (or your `frame-ancestors` directive in the CSP). Or use observatory.mozilla.org.

Owner: Your web host or developer. · Time: 5 minutes.

Common gotchas

How to verify the fix

Run a Vantyris scan or check observatory.mozilla.org. Both flag the absence of either header.

Cyber Essentials alignment

This finding informs the following UK NCSC Cyber Essentials control areas:

Vantyris is not a CE certifying body. The mapping above is informational.

Common follow-up questions

Do I need both X-Frame-Options and frame-ancestors?

Modern browsers read `frame-ancestors`; older ones only read `X-Frame-Options`. If you care about IE and very old Edge, send both. Otherwise just use `frame-ancestors` via CSP.

Will this break embedded YouTube/Stripe on my site?

No. The header controls who can embed YOUR site; it has no effect on what your site embeds.

Can attackers bypass this?

Not from the browser side. The header is enforced by the browser before rendering. The only bypass is if the attacker controls the browser itself, at which point you have bigger problems.

References

Related explainers

Want Vantyris to scan your domain for this and 80 other findings?

Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.

Editorial

Vantyris editorial team · methodology v1.0.0