explainer

X-Frame-Options: Preventing Clickjacking on School Sites

X-Frame-Options stops attackers from embedding your school's website inside a hidden iframe to trick users into clicking buttons or submitting forms they can't see. A one-line header, a real threat prevented.

4 min readX-Frame-Options, clickjacking, security headers

What Is X-Frame-Options?

X-Frame-Options is an HTTP response header that controls whether your school's website can be embedded inside an <iframe> on another site. Its primary purpose is to prevent clickjacking attacks.

What Is Clickjacking?

In a clickjacking attack, an attacker:

1Creates a malicious webpage
2Embeds your school's login page or admin panel inside a hidden iframe on that page
3Overlays their own visible content on top
4When a user thinks they're clicking something innocent on the attacker's page, they're actually clicking a button on your school's hidden page

Examples of what an attacker can do:

Get a logged-in administrator to unknowingly click "Delete all students" or "Add new admin user"
Capture a staff member's login credentials by framing the login form
Trigger fund transfers if your school uses an online payment portal
Silently change settings in your school's SIS or LMS

The Three Header Values

```

X-Frame-Options: DENY

```

Blocks all framing — your site cannot be embedded in any iframe anywhere.

```

X-Frame-Options: SAMEORIGIN

```

Allows framing only by pages on your own domain. Useful if your school uses iframes internally.

```

X-Frame-Options: ALLOW-FROM https://trusted-partner.edu.ph

```

Allows framing only from a specific domain. Note: this value is deprecated and not supported in modern browsers — use CSP's frame-ancestors directive instead.

Recommended for most schools: DENY or SAMEORIGIN

How to Add the Header

Apache (.htaccess)

```apache

Header always set X-Frame-Options "SAMEORIGIN"

```

Nginx

```nginx

add_header X-Frame-Options "SAMEORIGIN" always;

```

Cloudflare

Cloudflare does not add X-Frame-Options automatically. Use a Transform Rule or add it at the server level.

WordPress (plugin)

Headers & Security or WP Headers plugins can set this without server access.

Modern Alternative: CSP frame-ancestors

The modern equivalent is the Content Security Policy frame-ancestors directive, which offers more flexibility:

```

Content-Security-Policy: frame-ancestors 'self'

```

This is equivalent to SAMEORIGIN and is supported by all modern browsers. For maximum compatibility, set both headers.

Does Your School Actually Need This?

If your school website has:

A staff or admin login page
An enrollment or payment form
A student information portal
Any page where authenticated users take actions

Then yes — X-Frame-Options (or its CSP equivalent) should be set. The header costs nothing to implement and closes a real attack vector.

Check Your Site

The Site Scanner checks whether your school site sends the X-Frame-Options header.

Related Resources

Content Security Policy — includes frame-ancestors, the modern framing control
HSTS Explained — another one-line header with major security impact
Site Scanner — check all your security headers at once