How can I set X-Frame-Options in my PHP code so that it will be there in all the web pages from my server. Basically, I am trying to avoid iframe loading of my web app.
Use below in your php file which outputs response to client side.
header("X-Frame-Options: DENY");
DENY will fully block. You may try SAMEORIGIN option also.
header("X-Frame-Options: SAMEORIGIN");
If you are using apache web server, you can directly set in httpd.conf also.
<Directory />
...
Header always set X-Frame-Options "SAMEORIGIN"
</Directory>
The X-Frame-Options prevents your site content embedded into other sites. Browser allowed other sites to open web page in iframe. It also secure your Apache web server from clickjacking attack.
There are three options available to set with X-Frame-Options:
‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself.
‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe.
‘DENY – This will not allow any website to embed your site pages in an iframe.
We have two way to Setup X-Frame-Options
1. with Apache Configuration
2. with .htaccess
with Apache configuration:
Debian based systems: /etc/apache2/conf-enabled/security.conf Redhat based systems: /etc/httpd/conf/httpd.conf
Header set X-Frame-Options: "SAMEORIGIN" #Allow for Same Origin (Default Action)
Header set X-Frame-Options: "ALLOW-FROM http://example.com/" #Allow from specific origin
Header set X-Frame-Options: "DENY" #Deny to everyone
with .htaccess
Header append X-Frame-Options: "SAMEORIGIN"
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With