Do you really want anyone to render your site in a frame? If so, users can think it's your site and be tricked.

This header can protect the user from so called clickjacking where your pages is rendered in a frame with an overhead layer where hidden links and buttons fools the users.

To protect the users you specify who is allowed to render your site in an frame or similar. There is three possible directives:

  • deny - page isn't allowed to be rendered in a frame.
  • sameorigin - the page self it self can be shown in pages from the same origin.
  • allow-from https://trusted-site.com - only allowed to show in frames at the specified site.

This header is obsolete and replaced by CSP level 2 but it can still be a good idea to use since older browsers not support that.

HTTP Header Tester: X-Frame-Options

Adding it can look like this:

<add name="X-Frame-Options" value="sameorigin"/>

Read more about: How to add headers to your .net site

Previously in the Security Headers series: X-XSS-Protection

Next up in the Security Headers series: Referrer-Policy