Use the X-Frame-Options header to prevent Clickjacking vulnerability on your website. By implementing this header, you instruct the browser not to embed your web page in frame/iframe. This has some limitations in browser support, so you got to check before implementing it.

You can configure the following three parameters.

Parameter ValueMeaning
SAMEORIGINFrame/iframe of content is only allowed from the same site origin.
DENYPrevent any domain to embed your content using frame/iframe.
ALLOW-FROMAllow framing the content only on a particular URI.

Let’s take a look at how to implement “DENY” so no domain embeds the web page.


Add the following line in httpd.conf and restart the webserver to verify the results.

Header always append X-Frame-Options DENY


Add the following in nginx.conf under server directive/block.

add_header X-Frame-Options “DENY”;

Restart to verify the results


Create an iRule with the following and associated with the respective virtual server.


HTTP::header insert "X-FRAME-OPTIONS" "DENY"


You don’t need to restart anything, changes are reflected in the air.


You can get this header implemented through WordPress too. Add the following in a wp-config.php file

header('X-Frame-Options: DENY);

If you are not comfortable editing the file, then you can use a plugin as explained here or mentioned above.

Microsoft IIS

Add the header by going to “HTTP Response Headers” for the respective site.

Restart the site to see the results.