Last updated on July 7th, 2024 at 10:51 am
Whether it's protecting against clickjacking attempts or protecting your intellectual property, blocking iFrames of your site is an important part of website security.
Blocking the ability to have your content iframed can help protect from clickjacking activity.
This post may contain affiliate links. We may earn a commission if you purchase an item through our links. It costs you nothing and helps us to fund this blog. Please see our Affiliate Disclosure & Notification for details.
While there are some use cases in which you’d want to allow another website to embed portions of your own site within theirs, it’s generally not a good idea. The most common method used to embed website content is through iFrames and in this post we’re going to show you how to block iFrames used to display your site within someone else’s.
Embedding YouTube videos like the one in this post is an example of a legitimate use of iFraming. In the case of YouTube videos, you’re allowing YouTube to serve up the video content instead of putting that load on your own servers. In fact most sites that provide an embed code for content such as Flickr and Twitter do so through the use of iFrames.
Why Block iFrames Anyway?
Chances are you’re reading this because you already know. If so, skip down to the code snippets now. Otherwise, read on…
Prevent Clickjacking
Clickjacking is when a user’s clicks are hijacked and pointed elsewhere. In most cases, clickjacking is accomplished by iFraming trusted content and overlaying transparent elements over them.
A malicious entity could iFrame a portion of your site and then use HTML to overlay their own elements such as malicious hyperlinks. A user thinks they’re clicking on a link in your site, but unknowingly is clicking an invisible link layered over it.
Clickjacking can be used to harvest login credentials by rendering a fake login box on top of the real one or send users to sites or downloads they wouldn’t normally click[ref].
Protect Your Intellectual Property
Perhaps you’re a blogger. You spend hours researching and writing your articles and posts. One day, you find that your entire blog is iFramed in some foreign website – that site’s visitors are reading your content without visiting your site. And if your site is monetized, you’re not getting any credit for the traffic in that iFrame.
This is exactly what happened to a client of mine. They were losing revenue and site traffic. The site which was iFraming their content was based in Romania so options were limited.
In cases like this, you’d want to ensure your site cannot be iFramed.
iFrame Blocking Methods
You can protect your site from being iFramed by incorporating the correct HTTP response headers on your website.
There are two different response headers that are used to block iFrame loading – X-Frame-Options and Content-Security-Policy. You can usually get by with just using the X-Frame-Options header because it’s supported in more browsers whereas Content-Security-Policy has some options which aren’t supported in any Microsoft browser. For this reason I’ll only be showing the X-Frame-Options header and it’s parameters.
The X-Frame-Options header has 3 settings: DENY, SAMEORIGIN, and ALLOW-FROM.
The DENY setting is the most restrictive option which blocks all iFrame requests. The SAMEORIGIN allows a site to iFrame its own content. The ALLOW-FROM setting allows you to set trusted locations that can iFrame your page – but you must be careful because the ALLOW-FROM setting isn’t recognized by all browsers and could leave you vulnerable.
The SAMEORIGIN setting is the most commonly used of the three. In the following code snippets, we’ll show you the snippets for all versions in the first section. The remaining sections are only showing the SAMEORIGIN option, but you can swap that out with one of the other ones as the format is the same.
Block iFrames using .htaccess
If you’re using shared hosting for your website, you probably don’t have access to the Apache configuration. Luckily, you can usually set the X-Frame-Options header by adding one of the following lines to your .htaccess file.
Deny iFraming of your website to everyone:
header set x-frame-options DENYDeny iFraming of your website to everyone except those with the same origin:
header set x-frame-options SAMEORIGINDeny iFraming of your website to everyone except the domains you specify – change domain.com to the domain you wish to allow access to:
header set x-frame-options ALLOW-FROM https://domain.comBlock iFrames on Apache
If you aren’t using shared hosting and have access to your Apache configuration files, you can add the following line in your httpd.conf file:
header always set x-frame-options "SAMEORIGIN"Blocking iFrames on Nginx
If you’re using an Nginx server for you website you’ll need to add the following to your server block config:
header always set x-frame-options "SAMEORIGIN"Blocking iFrames on IIS
For those of you using Windows servers to deliver your website, you can add the following to your web.config file:
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="sameorigin" />
</customHeaders>
</httpProtocol>
...
</system.webServer>On IIS, you can also perform the configuration through the IIS Manager GUI by following these steps[ref]:
- Open Internet Information Services (IIS) Manager.
- In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.
- Double-click the HTTP Response Headers icon in the feature list in the middle.
- In the Actions pane on the right side, click Add.
- In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.
- Click OK to save your changes.
Final Thoughts
Using iFrames for embedding content can be a useful web tool.
Unfortunately, it can be used for more nefarious purposes. Adding the SAMEORIGIN x-frame-options header to your website will prevent iFrame embedding & help protect your users. In addition, most hosts don’t have this header set by default so it’s up to you to configure it and help lock down your site.
FAQs
Sharif Jameel is a business owner, IT professional, runner, & musician. His professional certifications include CASP, Sec+, Net+, MCSA, & ITIL and others. He’s also the guitar player for the Baltimore-based cover bands, Liquifaction and Minority Report.
I recently noticed another site embedding my own and your article helped me to block them. Thanks so much!
Hey Mark, thanks for the comment. I’m glad it worked for you!
Which Code Should I add to the header tag in HTML?
Will it work?
Hey Tech Sander, thanks for stopping by. Response headers must be added at the server level. In the past, you could add them using an html meta tag but that doesn’t work for most modern browsers anymore.
Pingback: The Importance of Blogging on Your Business Website - Website Design Baltimore | SEO Baltimore | CGS Computers
What Happens If I Host a Static Website(HTML only) Via GitHub on DigitalOcean.
There is no .htaccess option. What can we do in such a situation?
Hey thanks for stopping by – I’m not sure what system DigitalOcean uses for content delivery. Most hosts use Apache or an Apache-compatible system (such as CloudLinux or NGINX) and in that case if no .htaccess file exists, you can just create one. You may need to reach out to their support for more details.
Hi,
This worked for me using a wordpress website “header set x-frame-options DENY”
I would like to know if it is possible to replace the item in the frame with a message such as “illegally copied”
Thanks
Thanks for stopping by and reading! As to your question, I’m not sure if that is possible due to the way iframe works. Any message on failure to load the iframe would have be coded in to the site performing the operation (ie. the site you want to block).
Thank you!
header set x-frame-options SAMEORIGIN work for me!
Thanks, glad it worked for you!