IFrame is a third party page inserted into your own web page. There are multiple totally legitimate applications of iframes but hackers also like iframes because they can have unsuspecting web surfers load malicious web pages while browsing legitimate websites.
To block Iframe You can use HTTP Header Field X-Frame-Options,
<meta http-equiv=”X-Frame-Options” content=”deny”>
There are three possible values for X-Frame-Options:
DENY – The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN – The page can only be displayed in a frame on the same origin as the page itself.
ALLOW-FROM uri – The page can only be displayed in a frame on the specified origin.
In Apache, you can add the following code to block iframe
For those who only want to prevent sites other than your current site from framing your pages, add the following line.
Header append X-FRAME-OPTIONS “SAMEORIGIN”
or those who want to prevent all sites (including the one that you’re protecting) from framing your site, add the following line instead.
Header append X-FRAME-OPTIONS “DENY”