Implementing X-Frame-Options

Implementing X-Frame-Options

Server configuration examples across different platforms:

Apache Configuration

# Global protection
Header always set X-Frame-Options "SAMEORIGIN"

# Conditional protection
<If "%{HTTP_HOST} == 'admin.example.com'">
    Header always set X-Frame-Options "DENY"
</If>

# Directory-specific protection
<Directory "/var/www/sensitive">
    Header always set X-Frame-Options "DENY"
</Directory>

Nginx Configuration

# Global configuration
add_header X-Frame-Options "SAMEORIGIN" always;

# Location-specific configuration
location /admin {
    add_header X-Frame-Options "DENY" always;
}

# Conditional configuration based on request
map $request_uri $frame_options {
    default "SAMEORIGIN";
    ~^/embed/ "";
    ~^/admin/ "DENY";
}
add_header X-Frame-Options $frame_options always;

IIS Configuration

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="X-Frame-Options" value="SAMEORIGIN" />
        </customHeaders>
    </httpProtocol>
</system.webServer>