Security
X-Frame-Options + frame-ancestors
Stops other sites from embedding yours in an iframe — the prerequisite for clickjacking. CSP frame-ancestors is the modern equivalent; ship both for safety.
What it is
X-Frame-Options is the legacy header (DENY / SAMEORIGIN) preventing the page from being framed cross-origin. CSP's frame-ancestors directive supersedes it with finer-grained control. ALLOW-FROM is obsolete; use frame-ancestors for allow-listing.
Why it matters
Clickjacking attacks overlay your authenticated UI inside an attacker iframe. Without one of these headers, any site can embed yours and trick a logged-in visitor into clicking through invisible widgets.
Who it applies to
Any site with login, payment, or sensitive forms — but cheap enough to deploy everywhere.
How WQI scores it
Web Quality Index considers this standard satisfied when the supporting factor passes.
| # | Factor | Status |
|---|---|---|
| 4 | Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options) | live |
Related standards
- See also
- Security headers , CSP 3
Standards that share factors with this one
Auto-computed from overlapping factor tickets in satisfiedBy, excluding standards already listed under "See also" above. Strong overlap suggests these standards rise and fall together when sites are scored.
Other references
- guidance MDN — X-Frame-Options
- guidance OWASP — Clickjacking Defense Cheat Sheet