Clickjacking embeds your site in an invisible <iframe> on an attacker’s page. Block framing with
both the modern CSP directive and the legacy header (for old browsers).
The values
- Modern:
Content-Security-Policy: frame-ancestors 'self'(only your own pages may frame you). - Legacy:
X-Frame-Options: SAMEORIGIN.
Where both are present, browsers that support CSP
frame-ancestorsignoreX-Frame-Options. Set both so old clients are still covered. Useframe-ancestors 'none'to forbid all framing.
Nginx
add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;
Apache
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "frame-ancestors 'self'"
Caddy
header {
X-Frame-Options "SAMEORIGIN"
Content-Security-Policy "frame-ancestors 'self'"
}
_headers
/*
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
Allow a specific partner to frame you
X-Frame-Options can’t list arbitrary origins (its ALLOW-FROM is dead) — use CSP:
Content-Security-Policy: frame-ancestors 'self' https://partner.example.com
Verify
curl -sI https://yourdomain.com | grep -iE 'x-frame-options|frame-ancestors'
Already setting a full CSP? Add frame-ancestors to that single policy instead of a second
Content-Security-Policy header — multiple CSP headers are combined, but keeping one is cleaner.