Free Tool
X-Frame-Options Checker
Test whether your website protects pages from unauthorized iframe embedding and clickjacking workflows.
Sign in with Google or GitHub to run the scan. Start with a free scan.
What this tool checks
This page uses ZeriFlow's deterministic website security engine and focuses the guidance on the configuration area above. For the full report, run a complete free security scan.
Key Checks
Header Presence
Detects whether X-Frame-Options is present on public responses.
Policy Strength
Reviews DENY and SAMEORIGIN usage for the intended embedding behavior.
CSP Coverage
Checks whether frame-ancestors is also configured for modern browsers.
Clickjacking Risk
Explains where missing frame controls can create user-interface attack paths.
Recommended Baseline
Strict
Use X-Frame-Options: DENY for pages that should never be embedded.
Same Origin
Use SAMEORIGIN only when same-site framing is required.
Modern CSP
Add Content-Security-Policy frame-ancestors for flexible browser control.
Testing
Check login, checkout, admin, and account pages after deployment.
FAQ
What does X-Frame-Options do?
X-Frame-Options tells browsers whether your page can be embedded inside an iframe. It helps reduce clickjacking risk by blocking unauthorized framing.
Should I use DENY or SAMEORIGIN?
Use DENY when your site should never be embedded. Use SAMEORIGIN if pages need to be framed by other pages on the same origin.
Is CSP frame-ancestors better than X-Frame-Options?
CSP frame-ancestors is more flexible and modern. Many teams use both X-Frame-Options and frame-ancestors for broader compatibility.
Does X-Frame-Options stop all clickjacking?
No single header stops every UI attack, but X-Frame-Options and frame-ancestors are strong baseline protections against unauthorized iframe embedding.
Need the full security picture?
ZeriFlow combines deterministic website checks across headers, TLS, DNS, cookies, and email security with monitoring, reporting, and AI-powered developer workflows where implemented.