X-Frame-Options Inspect

Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.

Status

Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.

How to use

Paste X-Frame-Options and click “Parse”. It lists values.

Notes (this tool)

  • Accepts an X-Frame-Options: header line.

About this page

What does this tool do?

Parse X-Frame-Options and list values like DENY / SAMEORIGIN.

Useful for clickjacking protection checks and embedding policy review.

X-Frame-Options basics

  • Controls whether a page can be framed in iframes.
  • DENY blocks all framing; SAMEORIGIN allows only same-origin.
  • ALLOW-FROM is deprecated or unsupported in many browsers.

Typical use cases

  • Clickjacking protection for admin/payment pages
  • Review embed allowances to improve security
  • Check together with CSP frame-ancestors

Common values

  • DENY: not embeddable anywhere
  • SAMEORIGIN: embeddable only by same-origin
  • ALLOW-FROM uri: allow a specific origin (deprecated)

Syntax (how to read)

In practice you typically set a single value: "X-Frame-Options: DENY" or "X-Frame-Options: SAMEORIGIN".

ALLOW-FROM is legacy and widely unsupported; for fine-grained allowlists, use CSP frame-ancestors instead.

Security angle (clickjacking)

Clickjacking overlays real UI (often via transparent iframes) to trick users into unintended clicks. X-Frame-Options reduces the attack surface by preventing framing.

  • High-impact pages: admin/settings/payment/authorization/password changes
  • If embedding is not needed, DENY is the simplest

Relationship with CSP frame-ancestors

Today the recommended control is CSP frame-ancestors. It allows origin allowlists and more flexible control.

  • For compatibility, some setups use CSP + X-Frame-Options together.
  • You can inspect CSP via CSP Inspect.

Common pitfalls

  • ALLOW-FROM works only in limited browsers
  • Conflicts with CSP frame-ancestors settings
  • Using DENY on pages that need embedding

Suggested workflow

  • Decide whether the page needs embedding (internal tools/widgets)
  • If not needed use DENY; otherwise list allowed origins in CSP frame-ancestors
  • Verify with real iframes and check browser differences

What this tool does

  • Split and display X-Frame-Options values
  • Check for ALLOW-FROM usage
  • Visualize embedding policy

Operational notes

  • Recommended values are environment-dependent. Validate against functional requirements before applying.
  • In production, use phased rollout with report monitoring.

Referenced specs

  • RFC 7034 (X-Frame-Options)
  • MDN: X-Frame-Options

FAQ

Use CSP frame-ancestors or X-Frame-Options?

CSP frame-ancestors is recommended today, but X-Frame-Options is still used for compatibility.

Is SAMEORIGIN safe?

It allows same-origin framing, so use it only when required. If not needed, DENY is clearer.

References

  1. RFC 7034
  2. MDN: X-Frame-Options
  3. MDN: CSP frame-ancestors

These links are generated from site_map rules in recommended diagnostic order.

  1. X-Content-Type-Options Inspect — Parse X-Content-Type-Options and validate nosniff
  2. HSTS Inspect — Parse HSTS to verify HTTPS enforcement
  3. Referrer-Policy Inspect — Parse Referrer-Policy and check referrer exposure
  4. Permissions-Policy Inspect — Parse Permissions-Policy and review feature restrictions
  5. Security Headers Audit — Audit presence of major security headers
  6. Security Headers Recommendation — Suggest recommended values for missing headers
  7. Security Headers Fix Plan — Create a prioritized header-fix plan
  8. CSP Nonce/Hash Helper — Generate and verify CSP nonce/hash values

Security Headers

Go from missing-header detection to concrete fix planning

Example

X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN