X-Frame-Options is an HTTP response header that controls whether a browser should allow your page to be embedded in an <iframe>, <frame>, or <object>. It is a key defense against clickjacking attacks.
What is Clickjacking?
In a clickjacking attack, a malicious site embeds your page in an invisible iframe and tricks users into clicking buttons or links they didn't intend to — for example, clicking "Delete Account" while thinking they're clicking something harmless on the attacker's page.
Available Values
DENY— The page cannot be displayed in any frame, regardless of the site attempting to do so.SAMEORIGIN— The page can only be displayed in a frame on the same origin (same domain).ALLOW-FROM uri— The page can only be displayed in a frame on the specified origin. (Deprecated, not supported by modern browsers.)
Example
X-Frame-Options: SAMEORIGINThis is the recommended value for most WordPress sites. It allows your own site to use iframes (e.g., for the WordPress editor) while blocking external sites from embedding your pages.
Modern Alternative: CSP frame-ancestors
The Content-Security-Policy header's frame-ancestors directive is the modern replacement:
Content-Security-Policy: frame-ancestors 'self'It provides the same protection with more flexibility. However, using both headers together is recommended for maximum browser compatibility.
What InspectWP Checks
InspectWP verifies whether your WordPress site sends the X-Frame-Options header. A missing header means any website could embed your pages in an iframe, potentially enabling clickjacking attacks.