URL: /rules/security/x-frame-options

---
title: "X-Frame-Options"
description: "Checks for clickjacking protection header"
---

Checks for clickjacking protection header

| | |
|---|---|
| **Rule ID** | `security/x-frame-options` |
| **Category** | [Security](/rules/security) |
| **Scope** | Site-wide |
| **Severity** | warning |
| **Weight** | 5/10 |

## Solution

X-Frame-Options prevents your site from being embedded in iframes, protecting against clickjacking attacks. Set: X-Frame-Options: DENY (no framing) or SAMEORIGIN (same origin only). For modern browsers, CSP frame-ancestors is preferred: Content-Security-Policy: frame-ancestors 'self'. Use both for maximum compatibility.

## Enable / Disable

### Disable this rule

```toml squirrel.toml
[rules]
disable = ["security/x-frame-options"]
```

### Disable all Security rules

```toml squirrel.toml
[rules]
disable = ["security/*"]
```

### Enable only this rule

```toml squirrel.toml
[rules]
enable = ["security/x-frame-options"]
disable = ["*"]
```