Stop Clickjacking: X-Frame-Options & CSP frame-ancestors

Clickjacking embeds your site in an invisible <iframe> on an attacker’s page. Block framing with both the modern CSP directive and the legacy header (for old browsers).

The values

• Modern: Content-Security-Policy: frame-ancestors 'self' (only your own pages may frame you).
• Legacy: X-Frame-Options: SAMEORIGIN.

Where both are present, browsers that support CSP frame-ancestors ignore X-Frame-Options. Set both so old clients are still covered. Use frame-ancestors 'none' to forbid all framing.

Nginx

add_header X-Frame-Options "SAMEORIGIN" always;
add_header Content-Security-Policy "frame-ancestors 'self'" always;

Apache

Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "frame-ancestors 'self'"

Caddy

header {
    X-Frame-Options "SAMEORIGIN"
    Content-Security-Policy "frame-ancestors 'self'"
}

_headers

/*
  X-Frame-Options: SAMEORIGIN
  Content-Security-Policy: frame-ancestors 'self'

Allow a specific partner to frame you

X-Frame-Options can’t list arbitrary origins (its ALLOW-FROM is dead) — use CSP:

Content-Security-Policy: frame-ancestors 'self' https://partner.example.com

Verify

curl -sI https://yourdomain.com | grep -iE 'x-frame-options|frame-ancestors'

Already setting a full CSP? Add frame-ancestors to that single policy instead of a second Content-Security-Policy header — multiple CSP headers are combined, but keeping one is cleaner.