Skip to main content
ZZeriFlowv2.0

Security fix guide

How to Fix a Missing X-Frame-Options Header

A missing X-Frame-Options header may allow other sites to frame your pages if CSP frame-ancestors is not configured.

Run Full Website Security Scan

What the issue means

A missing X-Frame-Options header may allow other sites to frame your pages if CSP frame-ancestors is not configured.

Why it matters

Frame protections help reduce clickjacking risk on pages with authenticated or sensitive actions.

How to check it

Inspect response headers for X-Frame-Options or a CSP frame-ancestors directive.

How to fix it

Use DENY or SAMEORIGIN, or prefer CSP frame-ancestors for modern, flexible frame control.

Configuration examples

Nginx
add_header X-Frame-Options "SAMEORIGIN" always;
Apache
Header always set X-Frame-Options "SAMEORIGIN"
Vercel / Next.js
headers: async () => [{ source: "/(.*)", headers: [{ key: "X-Frame-Options", value: "SAMEORIGIN" }] }]
Cloudflare
Add X-Frame-Options or CSP frame-ancestors with a response header rule.

Related fix guides

Security Headers CheckerWebsite Vulnerability ScannerSecurityHeaders ComparisonMissing Content-Security-PolicyMissing Permissions-Policy