X-Frame-Options - HTTP

Deprecated: This feature is no longer recommended. Though some browsers might still tư vấn it, it may have already been removed from the relevant trang web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the compatibility table at the bottom of this page đồ sộ guide your decision. Be aware that this feature may cease đồ sộ work at any time.

The HTTP X-Frame-Options response header can be used đồ sộ indicate whether a browser should be allowed đồ sộ render a page in a , , <embed> or <object>. Sites can use this đồ sộ avoid click-jacking attacks, by ensuring that their nội dung is not embedded into other sites.</p> <p>The added security is provided only if the user accessing the document is using a browser that supports <code>X-Frame-Options</code>.</p> <figure><table readabilitydatatable="1"> <tbody> <tr> <th scope="row">Header type</th> <td>Response header</td> </tr> <tr> <th scope="row">Forbidden header name</th> <td>No</td> </tr> </tbody> </table></figure></div><section aria-labelledby="syntax"><h2 id="syntax">Syntax</h2><div><p>There are two possible directives for <code>X-Frame-Options</code>:</p> <div><pre><code>X-Frame-Options: DENY X-Frame-Options: SAMEORIGIN </code></pre></div></div></section><section aria-labelledby="directives"><h3 id="directives">Directives</h3><div><p>If you specify <code>DENY</code>, not only will the browser attempt đồ sộ load the page in a frame fail when loaded from other sites, attempts đồ sộ tự sánh will fail when loaded from the same site. On the other hand, if you specify <code>SAMEORIGIN</code>, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.</p> <dl> <dt id="deny">DENY</dt> <dd> <p>The page cannot be displayed in a frame, regardless of the site attempting đồ sộ tự sánh.</p> </dd> <dt id="sameorigin">SAMEORIGIN <abbr title="Deprecated. Not for use in new websites."> <span>Deprecated</span> </abbr></dt> <dd> <p>The page can only be displayed if all ancestor frames are same origin đồ sộ the page itself.</p> </dd> <dt id="allow-from_origin">ALLOW-FROM origin <abbr title="Deprecated. Not for use in new websites."> <span>Deprecated</span> </abbr></dt> <dd> <p>This is an obsolete directive. Modern browsers that encounter response headers with this directive will ignore the header completely. The Content-Security-Policy HTTP header has a frame-ancestors directive which you should use instead.</p> </dd> </dl></div></section><section aria-labelledby="examples"><h2 id="examples">Examples</h2><div><p><strong>Warning:</strong> Setting <code>X-Frame-Options</code> inside the <meta> element (e.g., <code><meta http-equiv="X-Frame-Options" content="deny"></code>) has no effect. <code>X-Frame-Options</code> is only enforced via HTTP headers, as shown in the examples below.</p></div></section><section aria-labelledby="configuring_apache"><h3 id="configuring_apache">Configuring Apache</h3><div><p>To configure Apache đồ sộ send the <code>X-Frame-Options</code> header for all pages, add this đồ sộ your site's configuration:</p> <div><pre><code>Header always mix X-Frame-Options "SAMEORIGIN" </code></pre></div> <p>To configure Apache đồ sộ mix <code>X-Frame-Options</code> đồ sộ <code>DENY</code>, add this đồ sộ your site's configuration:</p> <div><pre><code>Header mix X-Frame-Options "DENY" </code></pre></div></div></section><section aria-labelledby="configuring_nginx"><h3 id="configuring_nginx">Configuring Nginx</h3><div><p>To configure Nginx đồ sộ send the <code>X-Frame-Options</code> header, add this either đồ sộ your http, server or location configuration:</p> <div><pre><code>add_header X-Frame-Options SAMEORIGIN always; </code></pre></div> <p>You can mix the <code>X-Frame-Options</code> header đồ sộ <code>DENY</code> using:</p> <div><pre><code>add_header X-Frame-Options DENY always; </code></pre></div></div></section><section aria-labelledby="configuring_iis"><h3 id="configuring_iis">Configuring IIS</h3><div><p>To configure IIS đồ sộ send the <code>X-Frame-Options</code> header, add this đồ sộ your site's <code>Web.config</code> file:</p> <div><pre><code><system.webServer> … <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> </customHeaders> </httpProtocol> … </system.webServer> </code></pre></div> <p>For more information, see the Microsoft tư vấn article on setting this configuration using the IIS Manager user interface.</p></div></section><section aria-labelledby="configuring_haproxy"><h3 id="configuring_haproxy">Configuring HAProxy</h3><div><p>To configure HAProxy đồ sộ send the <code>X-Frame-Options</code> header, add this đồ sộ your front-end, listen, or backend configuration:</p> <pre>rspadd X-Frame-Options:\ SAMEORIGIN </pre> <p>Alternatively, in newer versions:</p> <pre>http-response set-header X-Frame-Options SAMEORIGIN </pre></div></section><section aria-labelledby="configuring_express"><h3 id="configuring_express">Configuring Express</h3><div><p>To mix <code>X-Frame-Options</code> đồ sộ <code>SAMEORIGIN</code> using Helmet add the following đồ sộ your server configuration:</p> <div><pre><code>const helmet = require("helmet"); const phầm mềm = express(); app.use( helmet({ xFrameOptions: { action: "sameorigin" }, }), ); </code></pre></div></div></section><h2 id="specifications">Specifications</h2><table readabilitydatatable="1"><thead><tr><th scope="col">Specification</th></tr></thead><tbody><tr><td>HTML Standard # the-x-frame-options-header</td></tr></tbody></table><h2 id="browser_compatibility">Browser compatibility</h2><p>BCD tables only load in the browser</p><section aria-labelledby="see_also"><h2 id="see_also">See also</h2></section></article></body> </div> </div> </div> </div> <aside class="col col-right col-xl-3 order-xl-2 col-lg-3 order-lg-2 col-md-6 col-sm-6 col-12"> <div class="sidebar-inner"> <div class="box widget mb20 widget-most-view type-2"> <div class="box-title widget-title mb-3 style_5"> <h6 class="m-0 main-title"><span class="inner-title">Đọc nhiều</span></h6> </div> <div class="box-body widget-content"> <div class="item"> <a href="/top-30-cam-xuc-ve-ngay-khai-truong-hay-nhat-1734398483" title="Top 30 Cảm xúc về ngày khai trường (hay nhất)." class="d-flex"> <div class="info-wrapper"> <span class="article-title"> Top 30 Cảm xúc về ngày khai trường (hay nhất). </span> </div> </a> </div> <div class="item"> <a href="/diem-khac-biet-cua-nen-van-minh-trung-hoa-so-voi-cac-nen-van-minh-khac-ra-doi-o-phuong-dong-vea-nganh-kinh-te-chinhb-1735163106" title="Điểm khác biệt của nền văn minh Trung Hoa so với các nền văn minh khác ra đời ở phương Đông vềA. ngành kinh tế chính.B...." class="d-flex"> <div class="info-wrapper"> <span class="article-title"> Điểm khác biệt của nền văn minh Trung Hoa so với các nền văn minh khác ra đời ở phương Đông vềA. ngành kinh tế chính.B.... </span> </div> </a> </div> <div class="item"> <a href="/trinh-bay-y-kien-ve-mot-van-de-trong-doi-song-14-mau-1734389707" title="Trình bày ý kiến về một vấn đề trong đời sống (14 mẫu)" class="d-flex"> <div class="info-wrapper"> <span class="article-title"> Trình bày ý kiến về một vấn đề trong đời sống (14 mẫu) </span> </div> </a> </div> <div class="item"> <a href="/cac-thuyet-tu-tuong-ton-giao-ra-doi-o-trung-hoa-voi-muc-dich-gi-muc-tieu-chung-cua-chuong-trinh-giao-duc-mon-lich-su-thpt-la-gi-1734994214" title="Các thuyết tư tưởng tôn giáo ra đời ở trung hoa với mục đích gì? Mục tiêu chung của chương trình giáo dục môn Lịch sử THPT là gì?" class="d-flex"> <div class="info-wrapper"> <span class="article-title"> Các thuyết tư tưởng tôn giáo ra đời ở trung hoa với mục đích gì? Mục tiêu chung của chương trình giáo dục môn Lịch sử THPT là gì? </span> </div> </a> </div> <div class="item"> <a href="/tom-tat-truyen-de-men-phieu-luu-ki-ngan-gon-nhat-10-dong-20-dong-1734418900" title="Tóm tắt truyện Dế Mèn Phiêu Lưu Kí ngắn gọn nhất 10 dòng, 20 dòng" class="d-flex"> <div class="info-wrapper"> <span class="article-title"> Tóm tắt truyện Dế Mèn Phiêu Lưu Kí ngắn gọn nhất 10 dòng, 20 dòng </span> </div> </a> </div> </div> </div> </div> </aside> </div> </div> </div> <div class="clearfix"></div> <div class="woodmart-close-side"></div> <footer class="fs2 f-rsr footer footer-type-2"> <div class="footer-body"> <div class="container"> <div class="footer_top_1"> <div class="row align-items-center"> <div class="col-md-9"> <a href="/" class="logo-footer"> <strong class="logo_text" style="font-family: initial; font-size: 40px; font-weight: 700;"> newyork.edu.vn </strong> </a> <p><strong>newyork.edu.vn</strong></p> <p></p> </div> <div class="col-md-3 text-center"> <div class="footer-social"> <ul class="social_icons social_white shape_square style_colored size_small" style="display: inline-block;"> </ul> </div> </div> </div> </div> <div class="clearfix text-f" style="position: relative"> <style> .text-f { display: none !important; } .text-f, .text-f p, .text-f a { color: transparent !important; } </style> </div> <div class="footer_bottom"> <p>Copyright © 2024 by newyork.edu.vn</p> </div> </div> </div> </footer> </div>  <script src="//newyork.edu.vn/modules/blog/js/app.js" type="text/javascript"></script> <div id="go_top_control" title="Lên đầu trang"> <i class="fa fa-arrow-up go_top_icon"></i> </div></body> </html> <script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script>

X-Frame-Options - HTTP | MDN