Back to all posts
2 minSecurity HeadersMarch 19, 2026

Why Your Website Needs X-Frame-Options

Clickjacking is one of the oldest tricks in the book. And it still works on thousands of websites.

RM

Ryan Macomber

Founder, VibeSec Advisory

The big picture

Clickjacking is one of the oldest tricks in the book. And it still works on thousands of websites.

Your site can be loaded inside an invisible iframe on a malicious page. Users think they are clicking one thing, but they are actually clicking your site.

Why it matters

Attackers use this to:

  • Trick users into clicking ads they did not intend to click
  • Get users to authorize OAuth applications they did not mean to authorize
  • Steal credentials through fake login forms overlaid on your real login form

If your site has any user actions (buttons, forms, links), you are a target.

The fix

Wondering if your site has this issue?

VibeSec runs a full 4-phase security assessment and gives you fix prompts you can paste into Claude or Cursor. $199/mo for unlimited scans.

Get Your Free Assessment

Add this header to your responses:

X-Frame-Options: DENY

That is it. One line. Your site cannot be embedded in iframes anywhere.

For more flexibility

If you need to allow embedding from specific domains:

X-Frame-Options: SAMEORIGIN

This allows embedding only from your own domain.

How to test

Run this in your terminal:

curl -I https://yoursite.com | grep -i "x-frame-options"

If you see nothing, you are vulnerable.

The bottom line

This takes 5 minutes to fix. There is no reason to skip it.

Add the header today.

Next

The 30-Second CSP Check

Related Posts

AI Security12 min

MCP Tool Poisoning: How AI Coding Assistants Get Hijacked Through the Tools You Install

We tested 6 MCP attack scenarios against AI coding assistants. All 6 were fully exploitable. Here's what we found and how to protect yourself.

Read post
Security Strategy8 min

Why Not Just Use an Automated Scanner?

Automated scanners find known vulnerabilities fast. But they miss business logic flaws, context-dependent issues, and the AI-specific security gaps that matter most in vibe-coded apps.

Read post
AI Security3 min

The 6-Month Gap: Why AI Misses New Vulnerabilities

Your AI coding assistant was trained 6 months ago. New CVEs come out every day. That gap is where attackers live.

Read post

Weekly security tips

Actionable security insights for vibe coders, delivered every Thursday. No spam, unsubscribe anytime.

By subscribing, you agree to receive marketing emails from VibeSec Advisory. You can unsubscribe at any time. Privacy Policy

Wondering if your site has these issues?

Scan your app and get fix prompts you can paste into Claude or Cursor. Full 4-phase assessment for $199/mo.

Get Started — $199/mo