The X-Frame-Options response header

Restricting your page being used in IFrames (click jacking)

  • Share

I found this header option repeating in many guidelines for securing the web application.

By adding these headers to response, it restricts browser to load your page into an iFrame tag.

For ASP.NET you can do it in two ways:

1. Adding headers on request start in your global.asax file

void Application_BeginRequest(object sender, EventArgs e)
    HttpContext.Current.Response.AddHeader("X-FRAME-OPTIONS", "DENY");

2. Adding headers in web.config

			<add name="X-Frame-Options" value="DENY" />

Whichever method you use, it will work and your content will not be loaded into other websites pages.

Headers options can have the following possible values:

  • SAMEORIGIN - allows page to be loaded in an iframe only if container page and iframe page are loaded from the same domain
  • DENY - disallows page to be loaded in an iframe (regardless of the domain)
  • ALLOW - allows page to be loaded on any other web page (regardless of the domain)

Unfortunately, these headers are not supported by all browsers, but are supported by newer version of top popular browsers used on the majority of computers now-days.


If you are using any CMS which backend relies on iframes, you should set this header value to SAMEORIGIN so you do not run into an issue

This feature along with cross-domain scripting restriction makes a solid security against forgery websites.

It is recommended to use these headers for ASP.NET websites, especially for those who have some type of payment or sending sensitive user informations.

This website has these settings in web.config, so if you try to load it in an iframe in your browser you will probably get an empty document in iframe. Various browsers implement this different, so for some you might get an empty document in iframe (Firefox) or an error page.


  • Share


Purpose of the code contained in snippets or available for download in this article is solely for learning and demo purposes. Author will not be held responsible for any failure or damages caused due to any other usage.

Comments for this article

comments powered by Disqus