There are three options available to set with X-Frame-Options:
‘SAMEORIGIN’ – With this setting, you can embed pages on same origin. For example, add iframe of a page to site itself. ‘ALLOW-FROM uri – Use this setting to allow specific origin (website/domain) to embed pages of your site in iframe. ‘DENY – This will not allow any website to embed your site pages in an iframe.
Setup X-Frame-Options with Apache Configuration
Edit Apache configuration file based on your operating system. The configuration file can be found: Debian based systems: /etc/apache2/conf-enabled/security.conf Redhat based systems: /etc/httpd/conf/httpd.conf Now add one of the following entry to file:
Allow for Same Origin (Default Action)Header set X-Frame-Options: “SAMEORIGIN” Allow from specific originHeader set X-Frame-Options: “ALLOW-FROM http://example.com/" Header set X-Frame-Options: “ALLOW-FROM http://www.example.com/" Header set X-Frame-Options: “ALLOW-FROM https://example.com/" Header set X-Frame-Options: “ALLOW-FROM https://www.example.com/" Deny to everyoneHeader set X-Frame-Options: “DENY”
Save the configuration file and restart Apache service to apply changes.
Setup X-Frame-Options with .htaccess
The websites running over shared hosting environment, You may not have privileges to modify Apache configuration. In this case, you can create .htaccess file on document root and append the same settings as above: