X-Frame-Options

What This Does

This protection controls whether your site can be embedded inside an iframe on another website.

It helps prevent unauthorized framing of your content.

Why It Matters

Without restrictions, your site can be embedded within another page using an iframe.

This can be used for:

clickjacking attacks
tricking users into interacting with hidden elements
overlaying malicious interfaces on top of your site

Restricting iframe usage helps protect users from these types of attacks.

When to Apply It

This protection is recommended for most websites.

Apply it when:

your site should not be embedded on other domains
you want to prevent clickjacking
your site does not rely on being framed externally

When Not to Apply It

Do not apply strict restrictions if:

your site must be embedded in another application
you intentionally allow framing (e.g., widgets, integrations)

In these cases, more flexible policies may be required.

How Steel Security Applies This

Steel Security sets the X-Frame-Options HTTP header.

Common values include:

DENY — prevents all framing
SAMEORIGIN — allows framing only on the same domain

The appropriate value depends on your site’s requirements.

What to Expect After Applying

After applying this protection:

your site cannot be embedded in unauthorized iframes
browsers will block framing attempts
your site functionality will remain unchanged in most cases

How to Verify

To verify the protection:

Open your browser developer tools
Navigate to the Network tab
Inspect a page request
Look for the X-Frame-Options header

You should see the configured value (e.g., DENY or SAMEORIGIN).

How to Revert (Rollback)

To revert this protection:

Navigate to the hardening section in Steel Security
Disable or adjust the control
Confirm the change
Re-check the response headers

Common Issues

Site Cannot Be Embedded

This is expected if framing is restricted.

If embedding is required:

adjust the policy
use a more flexible approach if supported

Header Not Appearing

verify server configuration supports headers
check for CDN or caching layers
ensure no conflicting rules exist

Conflicts with Other Policies

Content Security Policy (CSP) may also control framing
ensure policies are aligned

Uploads PHP Execution Protection

Block Direct PHP Access

Prevent Execution in Sensitive Directories

Disable Directory Listing

Protect Backup Files

Protect Configuration Files

Disable Debug Mode

Disable File Editing in Admin

Restrict XML-RPC

Security Headers Overview

Content Security Policy (CSP)

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Hide Version Information

Restrict Sensitive Endpoints

Limit Exposure of System Info

Apache (.htaccess) Hardening

Nginx Hardening

IIS (web.config) Hardening

X-Frame-Options

What This Does

Why It Matters

When to Apply It

When Not to Apply It

How Steel Security Applies This

What to Expect After Applying

How to Verify

How to Revert (Rollback)

Common Issues

Site Cannot Be Embedded

Header Not Appearing

Conflicts with Other Policies

Uploads PHP Execution Protection

Block Direct PHP Access

Prevent Execution in Sensitive Directories

Disable Directory Listing

Protect Backup Files

Protect Configuration Files

Disable Debug Mode

Disable File Editing in Admin

Restrict XML-RPC

Security Headers Overview

Content Security Policy (CSP)

X-Frame-Options

X-Content-Type-Options

Referrer-Policy

Hide Version Information

Restrict Sensitive Endpoints

Limit Exposure of System Info

Apache (.htaccess) Hardening

Nginx Hardening

IIS (web.config) Hardening

X-Frame-Options

What This Does

Why It Matters

When to Apply It

When Not to Apply It

How Steel Security Applies This

What to Expect After Applying

How to Verify

How to Revert (Rollback)

Common Issues

Site Cannot Be Embedded

Header Not Appearing

Conflicts with Other Policies

Related