SchoolBreach.org
BreachesTrendsToolsLearnAbout
Free Security Check
Security Check
SchoolBreach.org

A public resource tracking data breaches in Philippine schools. Helping administrators protect student data through awareness, education, and free security tools.

© 2026 SchoolBreach.org · A community service by OceanEd

Navigate

  • Breaches
  • Trends
  • Tools
  • Learn
  • Methodology

Company

  • About
  • Privacy Policy
  • Terms of Service
  • Contact Us

Disclaimer: This tracker is maintained for educational and awareness purposes. Incidents are documented using threat intelligence monitoring, Philippine media reports, NPC filings, and responsible disclosures. Social media platforms are monitored for leads and are corroborated before publication or naming — never through active scanning or exploitation. Severity ratings and summaries are prepared with AI assistance and reviewed editorially. Full methodology →

Back to Learn
explainer

X-Frame-Options: Preventing Clickjacking on School Sites

X-Frame-Options stops attackers from embedding your school's website inside a hidden iframe to trick users into clicking buttons or submitting forms they can't see. A one-line header, a real threat prevented.

4 min readX-Frame-Options, clickjacking, security headers

What Is X-Frame-Options?

X-Frame-Options is an HTTP response header that controls whether your school's website can be embedded inside an <iframe> on another site. Its primary purpose is to prevent clickjacking attacks.

What Is Clickjacking?

In a clickjacking attack, an attacker:

  1. 1Creates a malicious webpage
  2. 2Embeds your school's login page or admin panel inside a hidden iframe on that page
  3. 3Overlays their own visible content on top
  4. 4When a user thinks they're clicking something innocent on the attacker's page, they're actually clicking a button on your school's hidden page

Examples of what an attacker can do:

  • Get a logged-in administrator to unknowingly click "Delete all students" or "Add new admin user"
  • Capture a staff member's login credentials by framing the login form
  • Trigger fund transfers if your school uses an online payment portal
  • Silently change settings in your school's SIS or LMS

The Three Header Values

X-Frame-Options: DENY

Blocks all framing — your site cannot be embedded in any iframe anywhere.

X-Frame-Options: SAMEORIGIN

Allows framing only by pages on your own domain. Useful if your school uses iframes internally.

X-Frame-Options: ALLOW-FROM https://trusted-partner.edu.ph

Allows framing only from a specific domain. Note: this value is deprecated and not supported in modern browsers — use CSP's frame-ancestors directive instead.

Recommended for most schools: DENY or SAMEORIGIN

How to Add the Header

Apache (.htaccess)

Header always set X-Frame-Options "SAMEORIGIN"

Nginx

add_header X-Frame-Options "SAMEORIGIN" always;

Cloudflare

Cloudflare does not add X-Frame-Options automatically. Use a Transform Rule or add it at the server level.

WordPress (plugin)

Headers & Security or WP Headers plugins can set this without server access.

Modern Alternative: CSP frame-ancestors

The modern equivalent is the Content Security Policy frame-ancestors directive, which offers more flexibility:

Content-Security-Policy: frame-ancestors 'self'

This is equivalent to SAMEORIGIN and is supported by all modern browsers. For maximum compatibility, set both headers.

Does Your School Actually Need This?

If your school website has:

  • A staff or admin login page
  • An enrollment or payment form
  • A student information portal
  • Any page where authenticated users take actions

Then yes — X-Frame-Options (or its CSP equivalent) should be set. The header costs nothing to implement and closes a real attack vector.

Try the Live Demo

Interactive Clickjacking Demo: See this attack in action. Enter any school portal URL to watch it get silently embedded inside a fake "Win a Scholarship" page. Toggle between X-Ray mode (you see both layers) and Attack mode (iframe drops to near-invisible). Drag the fake green button over any real button on the target site to simulate the full attack.

Launch Clickjacking Demo →

Check Your Site

The Site Scanner checks whether your school site sends the X-Frame-Options header.

Related Resources

  • Content Security Policy — includes frame-ancestors, the modern framing control
  • HSTS Explained — another one-line header with major security impact
  • Site Scanner — check all your security headers at once
More ArticlesTry the Site Scanner →