Security headers · Check

X-Frame-Options missing — clickjacking exposure and how to set it

Without X-Frame-Options (or a CSP `frame-ancestors` directive), your site can be rendered inside an attacker-controlled iframe. Clickjacking layers an invisible overlay so the user clicks one thing and triggers another — usually destructive — action.

Real-world risk

Clickjacking: your site can be framed while the user thinks they interact with another UI.

Fix steps (in order)

Add X-Frame-Options: DENY (or SAMEORIGIN if framing same-origin is required).
Prefer CSP frame-ancestors 'none' or 'self' for modern browsers.

Example configurations

Patterns for common stacks. Set headers at your CDN, load balancer, or origin as appropriate.

nginx · nginx

add_header X-Frame-Options "DENY" always;
# Use SAMEORIGIN instead of DENY only if same-origin framing is required.

Express (helmet) · typescript

import helmet from "helmet";
app.use(helmet.frameguard({ action: "deny" }));

Apache · apache
```
Header set X-Frame-Options "DENY"
```

Topic explainer

What is Content Security Policy (CSP)? A practical explainer →

An accessible explanation of Content Security Policy: what it does, why it exists, the directives that matter, and how to roll one out without breaking your app.

Verify the fix in 30 seconds

Run a Scorifya scan on the affected host after deploy. The same finding id (missing_xfo) clears once the externally-observable signal is in place.

Run a free scan Methodology