Why Your Website Needs X-Frame-Options

The big picture

Clickjacking is one of the oldest tricks in the book. And it still works on thousands of websites.

Your site can be loaded inside an invisible iframe on a malicious page. Users think they are clicking one thing, but they are actually clicking your site.

Why it matters

Attackers use this to:

Trick users into clicking ads they did not intend to click
Get users to authorize OAuth applications they did not mean to authorize
Steal credentials through fake login forms overlaid on your real login form

If your site has any user actions (buttons, forms, links), you are a target.

The fix

Ready to apply the FORGE framework?

VibeSec Advisory helps knowledge worker teams redesign real processes using the six FORGE pillars: Baseline, Skills, Agents, Guardrails, Schedule, and Capture. The next step is advisory intake, not checkout.

Get the Starter Kit Common Questions

Add this header to your responses:

X-Frame-Options: DENY

That is it. One line. Your site cannot be embedded in iframes anywhere.

For more flexibility

If you need to allow embedding from specific domains:

X-Frame-Options: SAMEORIGIN

This allows embedding only from your own domain.

How to test

Run this in your terminal:

curl -I https://yoursite.com | grep -i "x-frame-options"

If you see nothing, you are vulnerable.

The bottom line

This takes 5 minutes to fix. There is no reason to skip it.

Add the header today.

AI Workflows Weekly

Practical notes on governed AI workflows, guardrails, and safer automation. No spam, unsubscribe anytime.

By subscribing, you agree to receive marketing emails from VibeSec Advisory. You can unsubscribe at any time. Privacy Policy

Ready to apply the FORGE framework to your team?

Map your first process in 10 minutes and get deliverables within 48 hours. No call required.

Map Your Process Common Questions