Prevent your Site from being used in an iframe

Often as a security measure, it can be a good idea to prevent your site from being put within an iframe. This is a measure to prevent against click-jacking. It’s well supported in most of today’s web browsers – with support for:

  • Chrome 4+
  • Firefox 1.9+
  • IE8+

This can be done by setting the HTTP header X-Frame-Options.


Header set X-Frame-Options DENY

or in PHP

header('X-Frame-Options: Deny');

If you try and load the site with this header present, within Firefox you will get this message

Load denied by X-Frame-Options: does not permit cross-origin framing.