Security
SecurityMedium

X-Frame-Options

Checks for X-Frame-Options — prevents clickjacking by blocking iframe embedding.

What this check measures

We read the `X-Frame-Options` header. Recommended: `DENY` (never allow framing) or `SAMEORIGIN` (allow only own domain). Note: modern replacement is CSP `frame-ancestors` — ideally ship both.

Why it matters

Prevents clickjacking: an attacker framing your site invisibly over their own UI, making users click through to hidden actions. Banking and admin UIs MUST ship this.

search

How our audit detects it

Read X-Frame-Options header. Accepted values: DENY, SAMEORIGIN. Flag missing or ALLOW-FROM (obsolete).

Typical findings

  • error_outlineHeader missing — site can be embedded by anyone.
  • error_outlineValue = ALLOW-FROM — obsolete, ignored by most browsers.

How to fix

Add `X-Frame-Options: DENY` unless your app needs to be embedded on your own domain (then use SAMEORIGIN). Combine with CSP `frame-ancestors 'none'`.

Copy-paste fix prompt for your stack

Lovable · Cursor · Bolt · v0 · Replit · Windsurf · Claude Code · Base44

View the fix prompt →

Frequently asked questions

DENY breaks my OAuth popup?expand_more
OAuth redirects work fine — DENY only blocks iframe embedding, not navigation.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward