How to Set response header X-Frame-Options: deny
The X-Frame-Options HTTP response header is a security measure to prevent “clickjacking” attacks by controlling whether a page can be embedded in an iframe.
When a browser receives a X-Frame-Options header, it specifies whether a page can be rendered in a frame, iframe, object, or embed. There are three possible values for X-Frame-Options the header:
DENY: The page cannot be embedded in an iframe.SAMEORIGIN: The page can only be embedded in an iframe by the same website that served the page.ALLOW-FROM: The page can only be embedded in an iframe by the specified origin (i.e., domain name).
By setting the X-Frame-Options header to DENY, you can prevent a page from being embedded in an iframe, even if the iframe is from the same domain. This helps to protect against clickjacking attacks, where a malicious user creates an iframe that overlays the target page and captures clicks intended for the target page.
You can set the X-Frame-Options response header to deny to prevent a page from being embedded in an iframe. This helps to mitigate the risk of “clickjacking” attacks.
The exact method for setting the header will depend on the web server or framework you are using. Here are examples of header X-Frame-Options: deny some common platforms:
Apache:
Header set X-Frame-Options "DENY"Nginx:
add_header X-Frame-Options "DENY";PHP:
header('X-Frame-Options: DENY');ASP.NET:
Response.Headers.Add("X-Frame-Options", "DENY");Ruby on Rails:
response.headers['X-Frame-Options'] = 'DENY'Note that the exact syntax may vary depending on the version of the web server or framework you are using. Please refer to the relevant documentation for more information.
Also, read Google Captcha Integration in PHP Login Page
