juniorWeb Security

What is X-Frame-Options header?

Updated May 6, 2026

Short answer

It prevents a page from being embedded in iframes.

Deep explanation

Protects against clickjacking by controlling iframe embedding behavior.

Real-world example

Bank sites blocking embedding on malicious pages.

Common mistakes

  • Using it alone instead of CSP frame-ancestors.

Follow-up questions

  • What is ALLOW-FROM?
  • Better alternative?

More Web Security interview questions

View all →