Loadingβ¦
Prevent other sites from embedding yours in an iframe to trick your users.
Clickjacking loads your site in an invisible iframe over a malicious page so victims click your buttons without knowing. X-Frame-Options (and the modern frame-ancestors CSP directive) tells browsers who, if anyone, may frame your pages.
SAMEORIGIN to allow only your own site to frame your pages (or DENY for none).frame-ancestors in your CSP β it supersedes X-Frame-Options in modern browsers.# No framing protectionX-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'Add via a security plugin (Wordfence, "Security Headers") or .htaccess.
Add both headers in next.config.js headers().
Run a free audit and get a prioritized fix list with auto-generated code.
Run a free audit