X-Frame-Options stops attackers from embedding your school's website inside a hidden iframe to trick users into clicking buttons or submitting forms they can't see. A one-line header, a real threat prevented.
X-Frame-Options is an HTTP response header that controls whether your school's website can be embedded inside an <iframe> on another site. Its primary purpose is to prevent clickjacking attacks.
In a clickjacking attack, an attacker:
Examples of what an attacker can do:
X-Frame-Options: DENY
Blocks all framing — your site cannot be embedded in any iframe anywhere.
X-Frame-Options: SAMEORIGIN
Allows framing only by pages on your own domain. Useful if your school uses iframes internally.
X-Frame-Options: ALLOW-FROM https://trusted-partner.edu.ph
Allows framing only from a specific domain. Note: this value is deprecated and not supported in modern browsers — use CSP's frame-ancestors directive instead.
Recommended for most schools: DENY or SAMEORIGIN
Header always set X-Frame-Options "SAMEORIGIN"
add_header X-Frame-Options "SAMEORIGIN" always;
Cloudflare does not add X-Frame-Options automatically. Use a Transform Rule or add it at the server level.
Headers & Security or WP Headers plugins can set this without server access.
The modern equivalent is the Content Security Policy frame-ancestors directive, which offers more flexibility:
Content-Security-Policy: frame-ancestors 'self'
This is equivalent to SAMEORIGIN and is supported by all modern browsers. For maximum compatibility, set both headers.
If your school website has:
Then yes — X-Frame-Options (or its CSP equivalent) should be set. The header costs nothing to implement and closes a real attack vector.
Interactive Clickjacking Demo: See this attack in action. Enter any school portal URL to watch it get silently embedded inside a fake "Win a Scholarship" page. Toggle between X-Ray mode (you see both layers) and Attack mode (iframe drops to near-invisible). Drag the fake green button over any real button on the target site to simulate the full attack.
The Site Scanner checks whether your school site sends the X-Frame-Options header.
frame-ancestors, the modern framing control