X-Frame-Options Test
Check whether a site blocks unwanted framing and clickjacking attempts.
Powered by Geekflare Website Load Time API
What Is an X-Frame-Options Test?
X-Frame-Options Test checks whether a page sends a framing policy that helps reduce clickjacking risk. Clickjacking happens when an attacker embeds a real page inside a deceptive frame and tricks users into clicking hidden or misleading controls.
What the Tool Checks
| Check | Why It Matters |
|---|---|
| X-Frame-Options | DENY blocks all framing. SAMEORIGIN allows framing only from the same origin. |
| ALLOW-FROM | Deprecated value that modern browsers ignore. The tool flags it for review. |
| CSP frame-ancestors | Modern framing control that can replace X-Frame-Options in current browsers. |
How to Read the Results
If X-Frame-Options is present with DENY or SAMEORIGIN, the page has a standard framing policy.
If X-Frame-Options is missing but Content-Security-Policy includes frame-ancestors, the page still has modern framing protection. If both are missing, add a framing policy to reduce clickjacking exposure.
For new implementations, prefer CSP frame-ancestors when you need flexible allowlists. X-Frame-Options is still useful as a simple compatibility header for DENY or SAMEORIGIN.
Frequently Asked Questions
X-Frame-Options tells browsers whether a page can be embedded in a frame. DENY blocks all framing, while SAMEORIGIN allows framing by pages from the same origin.
For modern browsers, Content-Security-Policy: frame-ancestors is more flexible and is the preferred framing control. This tool treats it as coverage when X-Frame-Options is missing.
ALLOW-FROM is deprecated and ignored by modern browsers. Use DENY, SAMEORIGIN, or a CSP frame-ancestors directive instead.