How to fix missing X-Frame-Options or frame-ancestors (clickjacking)
Quick fix guide with step-by-step instructions. Barrion detects this finding in your scans; use this page to remediate it.
What it is
Clickjacking happens when your site is embedded in an invisible iframe on another site; users think they're clicking your UI but are actually clicking the attacker's. X-Frame-Options or CSP frame-ancestors tells the browser not to allow your page to be framed (or only by specific origins).
Why it matters
Without frame protection, an attacker can overlay your login or payment UI with transparent elements and trick users into clicking. DENY or sameorigin (or frame-ancestors 'none' / 'self') prevents your content from being framed by other sites.
How to fix it
- 1
Choose X-Frame-Options or CSP
X-Frame-Options: DENY (no framing) or SAMEORIGIN (only your site). CSP frame-ancestors is more flexible (e.g. allow specific domains) and is the modern approach; you can set both for compatibility.
- 2
Add the header
Send X-Frame-Options: DENY or X-Frame-Options: SAMEORIGIN on every response. Alternatively set Content-Security-Policy with frame-ancestors 'none' or frame-ancestors 'self'.
- 3
Verify
Run a clickjacking protection check or Barrion scan to confirm the header is present and your site is not framable by unknown origins.
Examples by platform
Nginx
add_header X-Frame-Options "DENY" always;Apache
Header always set X-Frame-Options "DENY"Check your site
Run Barrion's free security headers check to see if this finding applies to your app and get a full report.
Run free check →
