How useful is the X-Frame-Options header in protecting against malicious framing?

Question

Adding the X-Frame-Options DENY to the response header helps protect against malicious framing of the web page and as a solution it's certainly better that client-side JavaScript solutions.

But just how useful is it? Is is supported by all (modern) browsers and can it be bypassed by hackers intent on hijacking your site?

Answer 1

EricLaw's page maintains a list of supporting browsers.

Current verions of the major desktop browsers all support it; older versions and niche and some mobile browsers don't. So you will probably want to include an anti-framing <script> as well, to set top.location (and remove the page content first in case of anti-frame-busting; see this question for why).

You might prefer the script approach to X-Frame-Options when you want to selectively allow framing. X-Frame-Options does not permit ‘whitelisting’, so you can't eg allow Google Images traffic but not others.

Either way, IE6-7 will still allow attackers to frame your page and disable the frame-buster. Unfortunately the questionable <iframe security> attribute existed before X-Frame-Options. You could try adding <base target="_top"> to try to make any navigation break out traditional framing (or just not work, in the presence of anti-frame-busters), but this can't help you against invisible-iframe-overlay attacks.