IFrame is a third party page inserted into your own web page. There are multiple totally legitimate applications of iframes but hackers also like iframes because they can have unsuspecting web surfers load malicious web pages while browsing legitimate websites.

To block Iframe You can use HTTP Header Field X-Frame-Options,

<meta http-equiv=”X-Frame-Options” content=”deny”>

There are three possible values for X-Frame-Options:

DENY – The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN – The page can only be displayed in a frame on the same origin as the page itself.

ALLOW-FROM uri – The page can only be displayed in a frame on the specified origin.

In Apache, you can add the following code to block iframe

For those who only want to prevent sites other than your current site from framing your pages, add the following line.


or those who want to prevent all sites (including the one that you’re protecting) from framing your site, add the following line instead.

Header append X-FRAME-OPTIONS “DENY”


Post By Gishore J Kallarackal (2,121 Posts)

Gishore J Kallarackal is the founder of techgurulive. The purpose of this site is to share information about free resources that techies can use for reference. You can follow me on the social web, subscribe to the RSS Feed or sign up for the email newsletter for your daily dose of tech tips & tutorials. You can content me via @twitter or e-mail.

Website: → Techgurulive