Headers
X-Frame-Options and frame-ancestors: the anti-clickjacking header.
Published 2026-05-19 · Last updated 2026-05-19 · Vantyris editorial
If your site doesn't send the `X-Frame-Options` header (or its modern equivalent, `Content-Security-Policy: frame-ancestors`), any other website can embed yours inside an invisible iframe and trick visitors into clicking buttons they didn't mean to click. That's clickjacking. The fix is one header, takes 5 minutes, and breaks nothing for almost every small business site.
What this means for your business
- An attacker copies a single button from your site (say, 'Confirm payment' or 'Delete account') and overlays it on a page they control. The visitor thinks they're clicking 'Play video' on the attacker's site; they're actually clicking the hidden button on yours.
- X-Frame-Options is the original anti-clickjacking header. CSP's `frame-ancestors` directive is its modern successor. Send either (or both) and the browser refuses to render your site inside an iframe from a different origin.
- Unless your site is specifically designed to be embedded (e.g., a help widget, an embeddable map), you want this turned ON.
How to fix
Add either `X-Frame-Options: DENY` or `Content-Security-Policy: frame-ancestors 'none'` to your site's response headers. If you use CSP already, just add `frame-ancestors` to your existing policy.
- Pick your header. If you have no CSP at all, the simplest is to add `X-Frame-Options: DENY`. If you already have CSP, add `frame-ancestors 'none'` to the existing policy. Modern browsers prefer `frame-ancestors`; old IE only reads `X-Frame-Options`. Some sites send both.
- Add it to your host's response headers. Most hosts let you add custom headers in the SSL/security section. Cloudflare: Rules → Transform Rules → Modify Response Header. Apache: in `.htaccess`, `Header always set X-Frame-Options DENY`. Nginx: `add_header X-Frame-Options DENY always;`.
- Test it. Open Chrome DevTools → Network → click any request to your domain → check Response Headers. You should see `x-frame-options: DENY` (or your `frame-ancestors` directive in the CSP). Or use observatory.mozilla.org.
Owner: Your web host or developer. · Time: 5 minutes.
Common gotchas
- If your site IS supposed to be embedded somewhere specific (you provide a widget for partners), use `X-Frame-Options: ALLOW-FROM https://partner.com` (deprecated) or `Content-Security-Policy: frame-ancestors https://partner.com` (modern).
- `X-Frame-Options: SAMEORIGIN` allows your own domain to embed itself. Useful if your site has internal iframes; unnecessary otherwise.
- Some hosts (older shared hosting) don't let you add custom headers. In that case, a CDN in front (Cloudflare's free tier) gives you the control.
How to verify the fix
Run a Vantyris scan or check observatory.mozilla.org. Both flag the absence of either header.
Cyber Essentials alignment
This finding informs the following UK NCSC Cyber Essentials control areas:
- A2. Secure configuration — devices and services hardened against the inherent default vulnerabilities.
Vantyris is not a CE certifying body. The mapping above is informational.
Common follow-up questions
Do I need both X-Frame-Options and frame-ancestors?
Modern browsers read `frame-ancestors`; older ones only read `X-Frame-Options`. If you care about IE and very old Edge, send both. Otherwise just use `frame-ancestors` via CSP.
Will this break embedded YouTube/Stripe on my site?
No. The header controls who can embed YOUR site; it has no effect on what your site embeds.
Can attackers bypass this?
Not from the browser side. The header is enforced by the browser before rendering. The only bypass is if the attacker controls the browser itself, at which point you have bigger problems.
References
Related explainers
- Content Security Policy: the header that stops most XSS attacks dead.
- HSTS: the security header that locks HTTPS on for good.
Want Vantyris to scan your domain for this and 80 other findings?
Free teaser scan, no card. Verified scan from €10 with the full workspace around it: workflow, score trend, three PDF layouts, share links, monitoring.
Vantyris editorial team · methodology v1.0.0