The X-Frame-Options HTTP response header defends an application from clickjacking attacks. It can be used to indicate whethera browser is allowed to render a page in a frame, iframe, embed or object.

For example, to disallow displaying of a page in a frame:

X-Frame-Options: DENY

This header can be configured in three ways:

  • DENY – disables the iframe features completely.

  • SAMEORIGIN – allows iframe to be used by anyone from the same origin.

  • ALLOW-FROM – allows iframes from specific URLs


Add the following parameter to the nginx configuration file in the server section:

add_header X-Frame-Options "SAMEORIGIN";


Header always set X-Frame-Options "SAMEORIGIN"