https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Scan ID:: 3d155732-702e-4b63-bd23-cac0ca313cceFinished
Submitted URL:: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Report Finished:: Oct 10, 2024, 09:27:56
Links · 24 found

The outgoing links identified from the page
Link	Text
https://scrimba.com/learn/frontend?via=mdn	Scrimba
https://github.com/orgs/mdn/discussions/739
https://support.microsoft.com/en-US/office/mitigating-framesniffing-with-the-x-frame-options-header-1911411b-b51e-49fd-9441-e8301dcdcd79	Microsoft support article on setting this configuration using the IIS Manager
https://helmetjs.github.io/	Helmet
https://html.spec.whatwg.org/multipage/document-lifecycle.html#the-x-frame-options-header	HTML Standard#the-x-frame-options-header
https://github.com/mdn/browser-compat-data	https://github.com/mdn/browser-compat-data
https://learn.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-vii-clickjacking-defenses	ClickJacking Defenses - IEBlog
https://learn.microsoft.com/en-us/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options	Combating ClickJacking with X-Frame-Options - IEInternals
https://github.com/mdn/content/blob/main/CONTRIBUTING.md	Learn how to contribute
https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/x-frame-options/index.md?plain=1	View this page on GitHub
JavaScript Variables · 19 found

Global JavaScript variables loaded on the window object of a page, are variables declared outside of functions and accessible from anywhere in the code within the current scope
Name	Type
onbeforetoggle	object
documentPictureInPicture	object
onscrollend	object
Mozilla	object
gaScript	object
gtag	function
dataLayer	object
webpackChunkclient	object
__reactRouterVersion	string
Glean	object
Console log messages · 6 found

Messages logged to the web console
Type	Category	Log
info	other	URL https://developer.mozilla.org/static/js/main.3b51b1c8.js Text (Glean.core.Upload.PingUploadManager) Ping 9372bc1c-7b23-4cd5-8868-52b22e99dd0c successfully sent 200.
info	other	URL https://developer.mozilla.org/static/js/main.3b51b1c8.js Text (Glean.core.Upload.PingUploadManager) Ping e5cde573-8f23-4a1d-bdd8-ec90bd42d4cf successfully sent 200.
info	other	URL https://developer.mozilla.org/static/js/main.3b51b1c8.js Text (Glean.core.Upload.PingUploadManager) Ping 8940802a-7b22-45c7-80a0-0102789f1dc3 successfully sent 200.
info	other	URL https://developer.mozilla.org/static/js/main.3b51b1c8.js Text (Glean.core.Upload.PingUploadManager) Ping 6ba7dee5-fdbe-44ca-929c-1869732f2437 successfully sent 200.
info	other	URL https://developer.mozilla.org/static/js/main.3b51b1c8.js Text (Glean.core.Upload.PingUploadManager) Ping 3f5bbbdd-3e15-4baf-8343-cf20ed213fb8 successfully sent 200.
info	other	URL https://developer.mozilla.org/static/js/main.3b51b1c8.js Text (Glean.core.Upload.PingUploadManager) Ping 8ea1a2a4-69ea-414c-89f4-9329fe7cb06e successfully sent 200.
HTML

The raw HTML body of the page
<!DOCTYPE html><html lang="en-US" prefix="og: https://ogp.me/ns#" class="os-default"><head><meta charset="utf-8"><meta name="viewport" content="width=device-width,initial-scale=1"><link rel="icon" href="https://developer.mozilla.org/favicon-48x48.bc390275e955dacb2e65.png"><link rel="apple-touch-icon" href="https://developer.mozilla.org/apple-touch-icon.528534bba673c38049c2.png"><meta name="theme-color" content="rgb(255, 255, 255)"><link rel="manifest" href="https://developer.mozilla.org/manifest.f42880861b394dd4dc9b.json"><link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="MDN Web Docs"><title>X-Frame-Options - HTTP | MDN</title><link rel="alternate" title="X-Frame-Options" href="https://developer.mozilla.org/es/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="es"><link rel="alternate" title="X-Frame-Options" href="https://developer.mozilla.org/fr/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="fr"><link rel="alternate" title="X-Frame-Options" href="https://developer.mozilla.org/ja/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="ja"><link rel="alternate" title="X-Frame-Options" href="https://developer.mozilla.org/ko/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="ko"><link rel="alternate" title="X-Frame-Options" href="https://developer.mozilla.org/pt-BR/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="pt"><link rel="alternate" title="X-Frame-Options" href="https://developer.mozilla.org/zh-CN/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="zh"><link rel="alternate" title="X-Frame-Options 回應標頭" href="https://developer.mozilla.org/zh-TW/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="zh-Hant"><link rel="alternate" title="X-Frame-Options" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options" hreflang="en"><link rel="preload" as="font" type="font/woff2" href="/static/media/Inter.var.c2fe3cb2b7c746f7966a.woff2" crossorigin=""><link rel="alternate" type="application/rss+xml" title="MDN Blog RSS Feed" href="https://developer.mozilla.org/en-US/blog/rss.xml" hreflang="en"><meta name="description" content="The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites."><meta property="og:url" content="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options"><meta property="og:title" content="X-Frame-Options - HTTP | MDN"><meta property="og:type" content="website"><meta property="og:locale" content="en_US"><meta property="og:description" content="The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites."><meta property="og:image" content="https://developer.mozilla.org/mdn-social-share.d893525a4fb5fb1f67a2.png"><meta property="og:image:type" content="image/png"><meta property="og:image:height" content="1080"><meta property="og:image:width" content="1920"><meta property="og:image:alt" content="The MDN Web Docs logo, featuring a blue accent color, displayed on a solid black background."><meta property="og:site_name" content="MDN Web Docs"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:creator" content="MozDevNet"><link rel="canonical" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options"><style media="print">.article-actions-container,.document-toc-container,.language-menu,.main-menu-toggle,.on-github,.page-footer,.place,.sidebar,.top-banner,.top-navigation-main,ul.prev-next{display:none!important}.main-page-content,.main-page-content pre{padding:2px}.main-page-content pre{border-left-width:2px}</style><script type="text/javascript" async="" src="https://www.google-analytics.com/analytics.js"></script><script type="text/javascript" async="" src="https://www.googletagmanager.com/gtag/js?id=G-PWTK27XVWP&amp;l=dataLayer&amp;cx=c"></script><script src="/static/js/gtag.js" defer=""></script><script defer="" src="/static/js/main.3b51b1c8.js"></script><link href="/static/css/main.cbe2fce7.css" rel="stylesheet"><script async="" src="https://www.googletagmanager.com/gtag/js?id=UA-36116321-5"></script></head><body><script>if(document.body.addEventListener("load",(t=>{t.target.classList.contains("interactive")&&t.target.setAttribute("data-readystate","complete")}),{capture:!0}),window&&document.documentElement){const t={light:"#ffffff",dark:"#1b1b1b"};try{const e=window.localStorage.getItem("theme");e&&(document.documentElement.className=e,document.documentElement.style.backgroundColor=t[e]);const o=window.localStorage.getItem("nop");o&&(document.documentElement.dataset.nop=o)}catch(t){console.warn("Unable to read theme from localStorage",t)}}</script><div id="root"><ul id="nav-access" class="a11y-nav"><li><a id="skip-main" href="#content">Skip to main content</a></li><li><a id="skip-search" href="#top-nav-search-input">Skip to search</a></li><li><a id="skip-select-language" href="#languages-switcher-button">Skip to select language</a></li></ul><div class="page-wrapper  category-http document-page"><div class="top-banner fallback"><section class="place top container"><p class="fallback-copy">Learn front-end development with a 30% discount on <a href="https://scrimba.com/learn/frontend?via=mdn" target="_blank" rel="noreferrer">Scrimba</a> — limited time offer!</p></section></div><div class="sticky-header-container"><header class="top-navigation 
      
      "><div class="container "><div class="top-navigation-wrap"><a href="/en-US/" class="logo" aria-label="MDN homepage"><svg id="mdn-docs-logo" xmlns="http://www.w3.org/2000/svg" x="0" y="0" viewBox="0 0 694.9 104.4" style="enable-background:new 0 0 694.9 104.4" xml:space="preserve" role="img"><title>MDN Web Docs</title><path d="M40.3 0 11.7 92.1H0L28.5 0h11.8zm10.4 0v92.1H40.3V0h10.4zM91 0 62.5 92.1H50.8L79.3 0H91zm10.4 0v92.1H91V0h10.4z" class="logo-m"></path><path d="M627.9 95.6h67v8.8h-67v-8.8z" class="logo-_"></path><path d="M367 42h-4l-10.7 30.8h-5.5l-10.8-26h-.4l-10.5 26h-5.2L308.7 42h-3.8v-5.6H323V42h-6.5l6.8 20.4h.4l10.3-26h4.7l11.2 26h.5l5.7-20.3h-6.2v-5.6H367V42zm34.9 20c-.4 3.2-2 5.9-4.7 8.2-2.8 2.3-6.5 3.4-11.3 3.4-5.4 0-9.7-1.6-13.1-4.7-3.3-3.2-5-7.7-5-13.7 0-5.7 1.6-10.3 4.7-14s7.4-5.5 12.9-5.5c5.1 0 9.1 1.6 11.9 4.7s4.3 6.9 4.3 11.3c0 1.5-.2 3-.5 4.7h-25.6c.3 7.7 4 11.6 10.9 11.6 2.9 0 5.1-.7 6.5-2 1.5-1.4 2.5-3 3-4.9l6 .9zM394 51.3c.2-2.4-.4-4.7-1.8-6.9s-3.8-3.3-7-3.3c-3.1 0-5.3 1-6.9 3-1.5 2-2.5 4.4-2.8 7.2H394zm51 2.4c0 5-1.3 9.5-4 13.7s-6.9 6.2-12.7 6.2c-6 0-10.3-2.2-12.7-6.7-.1.4-.2 1.4-.4 2.9s-.3 2.5-.4 2.9h-7.3c.3-1.7.6-3.5.8-5.3.3-1.8.4-3.7.4-5.5V22.3h-6v-5.6H416v27c1.1-2.2 2.7-4.1 4.7-5.7 2-1.6 4.8-2.4 8.4-2.4 4.6 0 8.4 1.6 11.4 4.7 3 3.2 4.5 7.6 4.5 13.4zm-7.7.6c0-4.2-1-7.4-3-9.5-2-2.2-4.4-3.3-7.4-3.3-3.4 0-6 1.2-8 3.7-1.9 2.4-2.9 5-3 7.7V57c0 3 1 5.6 3 7.7s4.5 3.1 7.6 3.1c3.6 0 6.3-1.3 8.1-3.9 1.8-2.7 2.7-5.9 2.7-9.6zm69.2 18.5h-13.2v-7.2c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2 5.7 0 9.8 2.2 12.3 6.5V22.3h-8.6v-5.6h15.8v50.6h6v5.5zM493.2 56v-4.4c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm53.1-1.4c0 5.6-1.8 10.2-5.3 13.7s-8.2 5.3-13.9 5.3-10.1-1.7-13.4-5.1c-3.3-3.4-5-7.9-5-13.5 0-5.3 1.6-9.9 4.7-13.7 3.2-3.8 7.9-5.7 14.2-5.7s11 1.9 14.1 5.7c3 3.7 4.6 8.1 4.6 13.3zm-7.7-.2c0-4-1-7.2-3-9.5s-4.8-3.5-8.2-3.5c-3.6 0-6.4 1.2-8.3 3.7s-2.9 5.6-2.9 9.5c0 3.7.9 6.8 2.8 9.4 1.9 2.6 4.6 3.9 8.3 3.9 3.6 0 6.4-1.3 8.4-3.8 1.9-2.6 2.9-5.8 2.9-9.7zm45 5.8c-.4 3.2-1.9 6.3-4.4 9.1-2.5 2.9-6.4 4.3-11.8 4.3-5.2 0-9.4-1.6-12.6-4.8-3.2-3.2-4.8-7.7-4.8-13.7 0-5.5 1.6-10.1 4.7-13.9 3.2-3.8 7.6-5.7 13.2-5.7 2.3 0 4.6.3 6.7.8 2.2.5 4.2 1.5 6.2 2.9l1.5 9.5-5.9.7-1.3-6.1c-2.1-1.2-4.5-1.8-7.2-1.8-3.5 0-6.1 1.2-7.7 3.7-1.7 2.5-2.5 5.7-2.5 9.6 0 4.1.9 7.3 2.7 9.5 1.8 2.3 4.4 3.4 7.8 3.4 5.2 0 8.2-2.9 9.2-8.8l6.2 1.3zm34.7 1.9c0 3.6-1.5 6.5-4.6 8.5s-7 3-11.7 3c-5.7 0-10.6-1.2-14.6-3.6l1.2-8.8 5.7.6-.2 4.7c1.1.5 2.3.9 3.6 1.1s2.6.3 3.9.3c2.4 0 4.5-.4 6.5-1.3 1.9-.9 2.9-2.2 2.9-4.1 0-1.8-.8-3.1-2.3-3.8s-3.5-1.3-5.8-1.7-4.6-.9-6.9-1.4c-2.3-.6-4.2-1.6-5.7-2.9-1.6-1.4-2.3-3.5-2.3-6.3 0-4.1 1.5-6.9 4.6-8.5s6.4-2.4 9.9-2.4c2.6 0 5 .3 7.2.9 2.2.6 4.3 1.4 6.1 2.4l.8 8.8-5.8.7-.8-5.7c-2.3-1-4.7-1.6-7.2-1.6-2.1 0-3.7.4-5.1 1.1-1.3.8-2 2-2 3.8 0 1.7.8 2.9 2.3 3.6 1.5.7 3.4 1.2 5.7 1.6 2.2.4 4.5.8 6.7 1.4 2.2.6 4.1 1.6 5.7 3 1.4 1.6 2.2 3.7 2.2 6.6zM197.6 73.2h-17.1v-5.5h3.8V51.9c0-3.7-.7-6.3-2.1-7.9-1.4-1.6-3.3-2.3-5.7-2.3-3.2 0-5.6 1.1-7.2 3.4s-2.4 4.6-2.5 6.9v15.6h6v5.5h-17.1v-5.5h3.8V51.9c0-3.8-.7-6.4-2.1-7.9-1.4-1.5-3.3-2.3-5.6-2.3-3.2 0-5.5 1.1-7.2 3.3-1.6 2.2-2.4 4.5-2.5 6.9v15.8h6.9v5.5h-20.2v-5.5h6V42.4h-6.1v-5.6h13.4v6.4c1.2-2.1 2.7-3.8 4.7-5.2 2-1.3 4.4-2 7.3-2s5.3.7 7.5 2.1c2.2 1.4 3.7 3.5 4.5 6.4 1.1-2.5 2.7-4.5 4.9-6.1s4.8-2.4 7.9-2.4c3.5 0 6.5 1.1 8.9 3.3s3.7 5.6 3.7 10.2v18.2h6.1v5.5zm42.5 0h-13.2V66c-1.2 2.2-2.8 4.1-4.9 5.6-2.1 1.6-4.8 2.4-8.3 2.4-4.8 0-8.7-1.6-11.6-4.9-2.9-3.2-4.3-7.7-4.3-13.3 0-5 1.3-9.6 4-13.7 2.6-4.1 6.9-6.2 12.8-6.2s9.8 2.2 12.3 6.5V22.7h-8.6v-5.6h15.8v50.6h6v5.5zm-13.3-16.8V52c-.1-3-1.2-5.5-3.2-7.3s-4.4-2.8-7.2-2.8c-3.6 0-6.3 1.3-8.2 3.9-1.9 2.6-2.8 5.8-2.8 9.6 0 4.1 1 7.3 3 9.5s4.5 3.3 7.4 3.3c3.2 0 5.8-1.3 7.8-3.8 2.1-2.6 3.1-5.3 3.2-8zm61.5 16.8H269v-5.5h6V51.9c0-3.7-.7-6.3-2.2-7.9-1.4-1.6-3.4-2.3-5.7-2.3-3.1 0-5.6 1-7.4 3s-2.8 4.4-2.9 7v15.9h6v5.5h-19.3v-5.5h6V42.4h-6.2v-5.6h13.6V43c2.6-4.6 6.8-6.9 12.7-6.9 3.6 0 6.7 1.1 9.2 3.3s3.7 5.6 3.7 10.2v18.2h6v5.4h-.2z" class="logo-text"></path></svg></a><button title="Open main menu" type="button" class="button action has-icon main-menu-toggle" aria-haspopup="menu" aria-label="Open main menu" aria-expanded="false"><span class="button-wrap"><span class="icon icon-menu "></span><span class="visually-hidden">Open main menu</span></span></button></div><div class="top-navigation-main"><nav class="main-nav" aria-label="Main menu"><ul class="main-menu"><li class="top-level-entry-container active"><button type="button" id="references-button" class="top-level-entry menu-toggle" aria-controls="references-menu" aria-expanded="false">References</button><a href="/en-US/docs/Web" class="top-level-entry">References</a><ul id="references-menu" class="submenu references hidden inline-submenu-lg" aria-labelledby="references-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Web/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Structure of content on the web</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Web/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Code used to describe document style</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Web/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">General-purpose scripting language</p></div></a></li><li class="http-link-container "><a href="/en-US/docs/Web/HTTP" class="submenu-item "><div class="submenu-icon http"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP</div><p class="submenu-item-description">Protocol for transmitting web resources</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Web/API" class="submenu-item "><div class="submenu-icon apis"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web APIs</div><p class="submenu-item-description">Interfaces for building web applications</p></div></a></li><li class="apis-link-container "><a href="/en-US/docs/Mozilla/Add-ons/WebExtensions" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Extensions</div><p class="submenu-item-description">Developing extensions for web browsers</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Web" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Web Technology</div><p class="submenu-item-description">Web technology reference for developers</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="guides-button" class="top-level-entry menu-toggle" aria-controls="guides-menu" aria-expanded="false">Guides</button><a href="/en-US/docs/Learn" class="top-level-entry">Guides</a><ul id="guides-menu" class="submenu guides hidden inline-submenu-lg" aria-labelledby="guides-button"><li class="apis-link-container mobile-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview / MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="apis-link-container desktop-only "><a href="/en-US/docs/Learn" class="submenu-item "><div class="submenu-icon learn"></div><div class="submenu-content-container"><div class="submenu-item-heading">MDN Learning Area</div><p class="submenu-item-description">Learn web development</p></div></a></li><li class="html-link-container "><a href="/en-US/docs/Learn/HTML" class="submenu-item "><div class="submenu-icon html"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTML</div><p class="submenu-item-description">Learn to structure web content with HTML</p></div></a></li><li class="css-link-container "><a href="/en-US/docs/Learn/CSS" class="submenu-item "><div class="submenu-icon css"></div><div class="submenu-content-container"><div class="submenu-item-heading">CSS</div><p class="submenu-item-description">Learn to style content using CSS</p></div></a></li><li class="javascript-link-container "><a href="/en-US/docs/Learn/JavaScript" class="submenu-item "><div class="submenu-icon javascript"></div><div class="submenu-content-container"><div class="submenu-item-heading">JavaScript</div><p class="submenu-item-description">Learn to run scripts in the browser</p></div></a></li><li class=" "><a href="/en-US/docs/Web/Accessibility" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Accessibility</div><p class="submenu-item-description">Learn to make the web accessible to all</p></div></a></li></ul></li><li class="top-level-entry-container "><button type="button" id="mdn-plus-button" class="top-level-entry menu-toggle" aria-controls="mdn-plus-menu" aria-expanded="false">Plus</button><a href="/en-US/plus" class="top-level-entry">Plus</a><ul id="mdn-plus-menu" class="submenu mdn-plus hidden inline-submenu-lg" aria-labelledby="mdn-plus-button"><li class=" "><a href="/en-US/plus" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Overview</div><p class="submenu-item-description">A customized MDN experience</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li><li class=" "><a href="/en-US/plus/updates" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Updates</div><p class="submenu-item-description">All browser compatibility updates at a glance</p></div></a></li><li class=" "><a href="/en-US/plus/docs/features/overview" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Documentation</div><p class="submenu-item-description">Learn how to use MDN Plus</p></div></a></li><li class=" "><a href="/en-US/plus/docs/faq" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">FAQ</div><p class="submenu-item-description">Frequently asked questions about MDN Plus</p></div></a></li></ul></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/curriculum/">Curriculum <sup class="new">New</sup></a></li><li class="top-level-entry-container "><a class="top-level-entry menu-link" href="/en-US/blog/">Blog</a></li><li class="top-level-entry-container "><button type="button" id="tools-button" class="top-level-entry menu-toggle" aria-controls="tools-menu" aria-expanded="false">Tools</button><ul id="tools-menu" class="submenu tools hidden inline-submenu-lg" aria-labelledby="tools-button"><li class=" "><a href="/en-US/play" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">Playground</div><p class="submenu-item-description">Write, test and share your code</p></div></a></li><li class=" "><a href="/en-US/observatory" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">HTTP Observatory</div><p class="submenu-item-description">Scan a website for free</p></div></a></li><li class=" "><a href="/en-US/plus/ai-help" class="submenu-item "><div class="submenu-icon"></div><div class="submenu-content-container"><div class="submenu-item-heading">AI Help</div><p class="submenu-item-description">Get real-time assistance and support</p></div></a></li></ul></li></ul></nav><div class="header-search"><form action="/en-US/search" class="search-form search-widget" id="top-nav-search-form" role="search"><label id="top-nav-search-label" for="top-nav-search-input" class="visually-hidden">Search MDN</label><input aria-activedescendant="" aria-autocomplete="list" aria-controls="top-nav-search-menu" aria-expanded="false" aria-labelledby="top-nav-search-label" autocomplete="off" id="top-nav-search-input" role="combobox" type="search" class="search-input-field" name="q" placeholder="   " required="" value=""><button type="button" class="button action has-icon clear-search-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear search input</span></span></button><button type="submit" class="button action has-icon search-button"><span class="button-wrap"><span class="icon icon-search "></span><span class="visually-hidden">Search</span></span></button><div id="top-nav-search-menu" role="listbox" aria-labelledby="top-nav-search-label"></div></form></div><div class="theme-switcher-menu"><button type="button" class="button action has-icon theme-switcher-menu small" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-theme-os-default "></span>Theme</span></button></div><ul class="auth-container"><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FX-Frame-Options" class="login-link" rel="nofollow">Log in</a></li><li><a href="/users/fxa/login/authenticate/?next=%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FX-Frame-Options" target="_self" rel="nofollow" class="button primary mdn-plus-subscribe-link"><span class="button-wrap">Sign up for free</span></a></li></ul></div></div></header><div class="article-actions-container"><div class="container"><button type="button" class="button action has-icon sidebar-button" aria-label="Expand sidebar" aria-expanded="false" aria-controls="sidebar-quicklinks"><span class="button-wrap"><span class="icon icon-sidebar "></span></span></button><nav class="breadcrumbs-container" aria-label="Breadcrumb"><ol typeof="BreadcrumbList" vocab="https://schema.org/" aria-label="breadcrumbs"><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web" class="breadcrumb" property="item" typeof="WebPage"><span property="name">References</span></a><meta property="position" content="1"></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP" class="breadcrumb" property="item" typeof="WebPage"><span property="name">HTTP</span></a><meta property="position" content="2"></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP/Headers" class="breadcrumb" property="item" typeof="WebPage"><span property="name">Headers</span></a><meta property="position" content="3"></li><li property="itemListElement" typeof="ListItem"><a href="/en-US/docs/Web/HTTP/Headers/X-Frame-Options" class="breadcrumb-current-page" property="item" typeof="WebPage"><span property="name">X-Frame-Options</span></a><meta property="position" content="4"></li></ol></nav><div class="article-actions"><button type="button" class="button action has-icon article-actions-toggle" aria-label="Article actions"><span class="button-wrap"><span class="icon icon-ellipses "></span><span class="article-actions-dialog-heading">Article Actions</span></span></button><ul class="article-actions-entries"><li class="article-actions-entry"><div class="languages-switcher-menu open-on-focus-within"><button id="languages-switcher-button" type="button" class="button action small has-icon languages-switcher-menu" aria-haspopup="menu"><span class="button-wrap"><span class="icon icon-language "></span>English (US)</span></button><div class="hidden"><ul class="submenu language-menu  " aria-labelledby="language-menu-button"><li class=" "><form class="submenu-item locale-redirect-setting"><div class="group"><label class="switch"><input type="checkbox" name="locale-redirect"><span class="slider"></span><span class="label">Remember language</span></label><a href="https://github.com/orgs/mdn/discussions/739" rel="external noopener noreferrer" target="_blank" title="Enable this setting to automatically switch to this language when it's available. (Click to learn more.)"><span class="icon icon-question-mark "></span></a></div><section class="glean-thumbs"><span class="question">Is this useful?</span><button title="This feature is useful." type="button" class="button action has-icon thumbs"><span class="button-wrap"><span class="icon icon-thumbs-up "></span><span class="visually-hidden">This feature is useful.</span></span></button><button title="This feature is not useful." type="button" class="button action has-icon thumbs"><span class="button-wrap"><span class="icon icon-thumbs-down "></span><span class="visually-hidden">This feature is not useful.</span></span></button></section></form></li><li class=" "><a data-locale="es" href="/es/docs/Web/HTTP/Headers/X-Frame-Options" class="button submenu-item"><span>Español</span></a></li><li class=" "><a data-locale="fr" href="/fr/docs/Web/HTTP/Headers/X-Frame-Options" class="button submenu-item"><span>Français</span></a></li><li class=" "><a data-locale="ja" href="/ja/docs/Web/HTTP/Headers/X-Frame-Options" class="button submenu-item"><span>日本語</span></a></li><li class=" "><a data-locale="ko" href="/ko/docs/Web/HTTP/Headers/X-Frame-Options" class="button submenu-item"><span>한국어</span></a></li><li class=" "><a data-locale="pt-BR" href="/pt-BR/docs/Web/HTTP/Headers/X-Frame-Options" class="button submenu-item"><span>Português (do&nbsp;Brasil)</span></a></li><li class=" "><a data-locale="zh-CN" href="/zh-CN/docs/Web/HTTP/Headers/X-Frame-Options" class="button submenu-item"><span>中文 (简体)</span></a></li><li class=" "><a data-locale="zh-TW" href="/zh-TW/docs/Web/HTTP/Headers/X-Frame-Options" class="button submenu-item"><span>正體中文 (繁體)</span></a></li></ul></div></div></li></ul></div></div></div></div><div class="main-wrapper"><div class="sidebar-container"><aside id="sidebar-quicklinks" class="sidebar" data-macro="HTTPSidebar"><button type="button" class="button action backdrop" aria-label="Collapse sidebar"><span class="button-wrap"></span></button><nav aria-label="Related Topics" class="sidebar-inner"><header class="sidebar-actions"><section class="sidebar-filter-container"><div class="sidebar-filter "><label id="sidebar-filter-label" class="sidebar-filter-label" for="sidebar-filter-input"><span class="icon icon-filter"></span><span class="visually-hidden">Filter sidebar</span></label><input id="sidebar-filter-input" autocomplete="off" class="sidebar-filter-input-field false" type="text" placeholder="Filter" value=""><button type="button" class="button action has-icon clear-sidebar-filter-button"><span class="button-wrap"><span class="icon icon-cancel "></span><span class="visually-hidden">Clear filter input</span></span></button></div></section></header><div class="sidebar-inner-nav"><div class="in-nav-toc"><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#syntax">Syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></div><div class="sidebar-body">
  <ol>
    <li class="section"><a href="/en-US/docs/Web/HTTP">HTTP</a></li>
    <li class="section no-link">Guides</li>
    <li><a href="/en-US/docs/Web/HTTP/Overview">An overview of HTTP</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Session">A typical HTTP session</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Messages">HTTP Messages</a></li>
    <li><a href="/en-US/docs/Web/HTTP/MIME_types">MIME types (IANA media types)</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Compression">Compression in HTTP</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Caching">HTTP caching</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Authentication">HTTP authentication</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Cookies">Using HTTP cookies</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Redirections">Redirections in HTTP</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Conditional_requests">HTTP conditional requests</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Range_requests">HTTP range requests</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Content_negotiation">Content negotiation</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x">Connection management in HTTP/1.x</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Evolution_of_HTTP">Evolution of HTTP</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism">Protocol upgrade mechanism</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling">Proxy servers and tunneling</a></li>
    <li><a href="/en-US/docs/Web/HTTP/Client_hints">HTTP Client hints</a></li>
    <li class="toggle">
      <details>
        <summary>Security and privacy</summary>
        <ol>
          <li><a href="/en-US/docs/Web/Security/Practical_implementation_guides">Practical security implementation guides</a></li>
          <li><a href="/en-US/observatory">HTTP Observatory</a></li>
          <li><a href="/en-US/docs/Web/HTTP/Permissions_Policy">Permissions Policy</a></li>
          <li><a href="/en-US/docs/Web/HTTP/CSP">Content Security Policy (CSP)</a></li>
          <li><a href="/en-US/docs/Web/HTTP/CORS">Cross-Origin Resource Sharing (CORS)</a></li>
          <li><a href="/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy">Cross-Origin Resource Policy (CORP)</a></li>
          <li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security">Strict-Transport-Security</a></li>
        </ol>
      </details>
    </li>
    <li class="section no-link">References</li>
    <li class="toggle">
      <details open="">
        <summary>HTTP headers</summary>
        <ol><li><a href="/en-US/docs/Web/HTTP/Headers/Accept"><code>Accept</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-CH"><code>Accept-CH</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Charset"><code>Accept-Charset</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Encoding"><code>Accept-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Language"><code>Accept-Language</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Patch"><code>Accept-Patch</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Post"><code>Accept-Post</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Accept-Ranges"><code>Accept-Ranges</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials"><code>Access-Control-Allow-Credentials</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers"><code>Access-Control-Allow-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods"><code>Access-Control-Allow-Methods</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin"><code>Access-Control-Allow-Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers"><code>Access-Control-Expose-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age"><code>Access-Control-Max-Age</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers"><code>Access-Control-Request-Headers</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method"><code>Access-Control-Request-Method</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Age"><code>Age</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Allow"><code>Allow</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Alt-Svc"><code>Alt-Svc</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Alt-Used"><code>Alt-Used</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible"><code>Attribution-Reporting-Eligible</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source"><code>Attribution-Reporting-Register-Source</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Authorization"><code>Authorization</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cache-Control"><code>Cache-Control</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Clear-Site-Data"><code>Clear-Site-Data</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Connection"><code>Connection</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Digest"><code>Content-Digest</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Disposition"><code>Content-Disposition</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-DPR"><code>Content-DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Encoding"><code>Content-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Language"><code>Content-Language</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Length"><code>Content-Length</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Location"><code>Content-Location</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Range"><code>Content-Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only"><code>Content-Security-Policy-Report-Only</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Type"><code>Content-Type</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cookie"><code>Cookie</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Critical-CH"><code>Critical-CH</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy"><code>Cross-Origin-Embedder-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy"><code>Cross-Origin-Opener-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy"><code>Cross-Origin-Resource-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Date"><code>Date</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Device-Memory"><code>Device-Memory</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Digest"><code>Digest</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/DNT"><code>DNT</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Downlink"><code>Downlink</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/DPR"><code>DPR</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Early-Data"><code>Early-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/ECT"><code>ECT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/ETag"><code>ETag</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expect"><code>Expect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expect-CT"><code>Expect-CT</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Expires"><code>Expires</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Forwarded"><code>Forwarded</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/From"><code>From</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Host"><code>Host</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Match"><code>If-Match</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Modified-Since"><code>If-Modified-Since</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-None-Match"><code>If-None-Match</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Range"><code>If-Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since"><code>If-Unmodified-Since</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Keep-Alive"><code>Keep-Alive</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Last-Modified"><code>Last-Modified</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Link"><code>Link</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Location"><code>Location</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Max-Forwards"><code>Max-Forwards</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/NEL"><code>NEL</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/No-Vary-Search"><code>No-Vary-Search</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics"><code>Observe-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Origin"><code>Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster"><code>Origin-Agent-Cluster</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy"><code>Permissions-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Pragma"><code>Pragma</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Priority"><code>Priority</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate"><code>Proxy-Authenticate</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Proxy-Authorization"><code>Proxy-Authorization</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Range"><code>Range</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Referer"><code>Referer</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Referrer-Policy"><code>Referrer-Policy</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Refresh"><code>Refresh</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Report-To"><code>Report-To</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints"><code>Reporting-Endpoints</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Repr-Digest"><code>Repr-Digest</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Retry-After"><code>Retry-After</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/RTT"><code>RTT</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Save-Data"><code>Save-Data</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics"><code>Sec-Browsing-Topics</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA"><code>Sec-CH-UA</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch"><code>Sec-CH-UA-Arch</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness"><code>Sec-CH-UA-Bitness</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version"><code>Sec-CH-UA-Full-Version</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile"><code>Sec-CH-UA-Mobile</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model"><code>Sec-CH-UA-Model</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform"><code>Sec-CH-UA-Platform</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version"><code>Sec-CH-UA-Platform-Version</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest"><code>Sec-Fetch-Dest</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode"><code>Sec-Fetch-Mode</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site"><code>Sec-Fetch-Site</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User"><code>Sec-Fetch-User</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-GPC"><code>Sec-GPC</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-Purpose"><code>Sec-Purpose</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept"><code>Sec-WebSocket-Accept</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions"><code>Sec-WebSocket-Extensions</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key"><code>Sec-WebSocket-Key</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol"><code>Sec-WebSocket-Protocol</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version"><code>Sec-WebSocket-Version</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Server"><code>Server</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Server-Timing"><code>Server-Timing</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload"><code>Service-Worker-Navigation-Preload</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Set-Cookie"><code>Set-Cookie</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Set-Login"><code>Set-Login</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/SourceMap"><code>SourceMap</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Speculation-Rules"><code>Speculation-Rules</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security"><code>Strict-Transport-Security</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode"><code>Supports-Loading-Mode</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/TE"><code>TE</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin"><code>Timing-Allow-Origin</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Tk"><code>Tk</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Trailer"><code>Trailer</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Transfer-Encoding"><code>Transfer-Encoding</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Upgrade"><code>Upgrade</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests"><code>Upgrade-Insecure-Requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/User-Agent"><code>User-Agent</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Vary"><code>Vary</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Via"><code>Via</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Viewport-Width"><code>Viewport-Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Content-Digest"><code>Want-Content-Digest</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Digest"><code>Want-Digest</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest"><code>Want-Repr-Digest</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Warning"><code>Warning</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Width"><code>Width</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/WWW-Authenticate"><code>WWW-Authenticate</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options"><code>X-Content-Type-Options</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control"><code>X-DNS-Prefetch-Control</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-For"><code>X-Forwarded-For</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host"><code>X-Forwarded-Host</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto"><code>X-Forwarded-Proto</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><em><a href="/en-US/docs/Web/HTTP/Headers/X-Frame-Options" aria-current="page"><code>X-Frame-Options</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></em></li><li><a href="/en-US/docs/Web/HTTP/Headers/X-XSS-Protection"><code>X-XSS-Protection</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li></ol>
      </details>
    </li>
    <li class="toggle">
      <details>
        <summary>HTTP request methods</summary>
        <ol><li><a href="/en-US/docs/Web/HTTP/Methods/CONNECT"><code>CONNECT</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/DELETE"><code>DELETE</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/GET"><code>GET</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/HEAD"><code>HEAD</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/OPTIONS"><code>OPTIONS</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/PATCH"><code>PATCH</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/POST"><code>POST</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/PUT"><code>PUT</code></a></li><li><a href="/en-US/docs/Web/HTTP/Methods/TRACE"><code>TRACE</code></a></li></ol>
      </details>
    </li>
    <li class="toggle">
      <details>
        <summary>HTTP response status codes</summary>
        <ol><li><a href="/en-US/docs/Web/HTTP/Status/100"><code>100 Continue</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/101"><code>101 Switching Protocols</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/102"><code>102 Processing</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/103"><code>103 Early Hints</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/200"><code>200 OK</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/201"><code>201 Created</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/202"><code>202 Accepted</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/203"><code>203 Non-Authoritative Information</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/204"><code>204 No Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/205"><code>205 Reset Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/206"><code>206 Partial Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/207"><code>207 Multi-Status</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/208"><code>208 Already Reported</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/226"><code>226 IM Used</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/300"><code>300 Multiple Choices</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/301"><code>301 Moved Permanently</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/302"><code>302 Found</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/303"><code>303 See Other</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/304"><code>304 Not Modified</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/307"><code>307 Temporary Redirect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/308"><code>308 Permanent Redirect</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/400"><code>400 Bad Request</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/401"><code>401 Unauthorized</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/402"><code>402 Payment Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/403"><code>403 Forbidden</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/404"><code>404 Not Found</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/405"><code>405 Method Not Allowed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/406"><code>406 Not Acceptable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/407"><code>407 Proxy Authentication Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/408"><code>408 Request Timeout</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/409"><code>409 Conflict</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/410"><code>410 Gone</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/411"><code>411 Length Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/412"><code>412 Precondition Failed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/413"><code>413 Content Too Large</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/414"><code>414 URI Too Long</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/415"><code>415 Unsupported Media Type</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/416"><code>416 Range Not Satisfiable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/417"><code>417 Expectation Failed</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/418"><code>418 I'm a teapot</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/421"><code>421 Misdirected Request</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/422"><code>422 Unprocessable Content</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/423"><code>423 Locked</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/424"><code>424 Failed Dependency</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/425"><code>425 Too Early</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/426"><code>426 Upgrade Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/428"><code>428 Precondition Required</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/429"><code>429 Too Many Requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/431"><code>431 Request Header Fields Too Large</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/451"><code>451 Unavailable For Legal Reasons</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/500"><code>500 Internal Server Error</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/501"><code>501 Not Implemented</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/502"><code>502 Bad Gateway</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/503"><code>503 Service Unavailable</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/504"><code>504 Gateway Timeout</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/505"><code>505 HTTP Version Not Supported</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/506"><code>506 Variant Also Negotiates</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/507"><code>507 Insufficient Storage</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/508"><code>508 Loop Detected</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/510"><code>510 Not Extended</code></a></li><li><a href="/en-US/docs/Web/HTTP/Status/511"><code>511 Network Authentication Required</code></a></li></ol>
      </details>
    </li>
    <li class="toggle">
      <details>
        <summary>CSP directives</summary>
        <ol><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources"><code>CSP source values</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri"><code>CSP: base-uri</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content"><code>CSP: block-all-mixed-content</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src"><code>CSP: child-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src"><code>CSP: connect-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src"><code>CSP: default-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src"><code>CSP: fenced-frame-src</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src"><code>CSP: font-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action"><code>CSP: form-action</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"><code>CSP: frame-ancestors</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src"><code>CSP: frame-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src"><code>CSP: img-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src"><code>CSP: manifest-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src"><code>CSP: media-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src"><code>CSP: object-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src"><code>CSP: prefetch-src</code></a><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to"><code>CSP: report-to</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri"><code>CSP: report-uri</code></a><abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for"><code>CSP: require-trusted-types-for</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox"><code>CSP: sandbox</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src"><code>CSP: script-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr"><code>CSP: script-src-attr</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem"><code>CSP: script-src-elem</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src"><code>CSP: style-src</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr"><code>CSP: style-src-attr</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem"><code>CSP: style-src-elem</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types"><code>CSP: trusted-types</code></a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests"><code>CSP: upgrade-insecure-requests</code></a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src"><code>CSP: worker-src</code></a></li></ol>
      </details>
    </li>
    <li class="toggle">
      <details>
        <summary>CORS errors</summary>
        <ol><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled">Reason: CORS disabled</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin">Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin">Reason: CORS header 'Access-Control-Allow-Origin' missing</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded">Reason: CORS header 'Origin' cannot be added</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed">Reason: CORS preflight channel did not succeed</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed">Reason: CORS request did not succeed</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed">Reason: CORS request external redirect not allowed</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp">Reason: CORS request not HTTP</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials">Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound">Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials">Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight">Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</a></li><li><a href="/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed">Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</a></li></ol>
      </details>
    </li>
    <li class="toggle">
      <details>
        <summary>Permissions-Policy directives</summary>
        <ol><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer">Permissions-Policy: accelerometer</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor">Permissions-Policy: ambient-light-sensor</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting">Permissions-Policy: attribution-reporting</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay">Permissions-Policy: autoplay</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth">Permissions-Policy: bluetooth</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics">Permissions-Policy: browsing-topics</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr><abbr class="icon icon-nonstandard" title="Non-standard. Check cross-browser support before using.">
    <span class="visually-hidden">Non-standard</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera">Permissions-Policy: camera</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure">Permissions-Policy: compute-pressure</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture">Permissions-Policy: display-capture</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain">Permissions-Policy: document-domain</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media">Permissions-Policy: encrypted-media</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen">Permissions-Policy: fullscreen</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad">Permissions-Policy: gamepad</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation">Permissions-Policy: geolocation</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope">Permissions-Policy: gyroscope</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid">Permissions-Policy: hid</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get">Permissions-Policy: identity-credentials-get</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection">Permissions-Policy: idle-detection</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts">Permissions-Policy: local-fonts</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer">Permissions-Policy: magnetometer</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone">Permissions-Policy: microphone</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi">Permissions-Policy: midi</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials">Permissions-Policy: otp-credentials</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment">Permissions-Policy: payment</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture">Permissions-Policy: picture-in-picture</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create">Permissions-Policy: publickey-credentials-create</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get">Permissions-Policy: publickey-credentials-get</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock">Permissions-Policy: screen-wake-lock</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial">Permissions-Policy: serial</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection">Permissions-Policy: speaker-selection</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access">Permissions-Policy: storage-access</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb">Permissions-Policy: usb</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share">Permissions-Policy: web-share</a></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management">Permissions-Policy: window-management</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li><li><a href="/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking">Permissions-Policy: xr-spatial-tracking</a><abbr class="icon icon-experimental" title="Experimental. Expect behavior to change in the future.">
    <span class="visually-hidden">Experimental</span>
</abbr></li></ol>
      </details>
    </li>
    <li><a href="/en-US/docs/Web/HTTP/Resources_and_specifications">HTTP resources and specifications</a></li>
  </ol>
</div></div><section class="place side new-side"><div class="pong-box2" style="--place-new-side-background-light: #FFCFAB; --place-new-side-color-light: #1D1813; --place-new-side-background-dark: #FFCFAB; --place-new-side-color-dark: #1D1813;"><a class="pong" data-glean="pong: pong->click side" href="/pong/click?code=aHR0cHM6Ly9zcnYuYnV5c2VsbGFkcy5jb20vYWRzL2NsaWNrL3gvR1RORDQyN0xGVEJJQ0tKTUNZQUxZS1FVQ1ZBSVQ1UVVDV1lENlozSkNBN0RFNVFNQ0U3SVQyM0tDNkJJQ0tRTENLQklFMlFVRjZBRDYyN0pDNlNEVjJKN0hFWUk1S0pZQ1dCSVQ1M0VDVE5DWUJaNTJL.PCFpHervFayBLKw2Qqeqp6dr88wLuzsnenu2THG4jRM%3D&amp;version=2" target="_blank" rel="sponsored noreferrer"><img src="/pimg/aHR0cHM6Ly9zdGF0aWM0LmJ1eXNlbGxhZHMubmV0L3V1LzIvMTU1MTUxLzE3MjYwNDc2NzctNTAwcHgtaGktZml2ZS1iYW5uZXIucG5n.b1zXpdxSNbekJYXxU%2BvzK4%2B7hoeJ6zHpyb3hxMGVpAo%3D" aria-hidden="false" alt="Scrimba and MDN partnership" width="125" height="125"><div class="content"><strong>Learn web development with MDN</strong><span>Limited time offer: get 30% discount on the frontend developer course we developed with Scrimba</span><span class="pong-cta external">Sign up now</span></div></a><a href="/en-US/advertising" class="pong-note" data-glean="pong: pong->about" target="_blank" rel="noreferrer">Ad</a></div><a class="no-pong" data-glean="pong: pong->plus" href="/en-US/plus?ref=nope#subscribe">Don't want to see ads?</a></section></nav></aside><div class="toc-container"><aside class="toc"><nav><div class="document-toc-container"><section class="document-toc"><header><h2 class="document-toc-heading">In this article</h2></header><ul class="document-toc-list"><li class="document-toc-item "><a class="document-toc-link" href="#syntax">Syntax</a></li><li class="document-toc-item "><a class="document-toc-link" href="#examples">Examples</a></li><li class="document-toc-item "><a class="document-toc-link" href="#specifications">Specifications</a></li><li class="document-toc-item "><a class="document-toc-link" href="#browser_compatibility">Browser compatibility</a></li><li class="document-toc-item "><a class="document-toc-link" href="#see_also">See also</a></li></ul></section></div></nav></aside><section class="place side new-side"><div class="pong-box2" style="--place-new-side-background-light: #FFCFAB; --place-new-side-color-light: #1D1813; --place-new-side-background-dark: #FFCFAB; --place-new-side-color-dark: #1D1813;"><a class="pong" data-glean="pong: pong->click side" href="/pong/click?code=aHR0cHM6Ly9zcnYuYnV5c2VsbGFkcy5jb20vYWRzL2NsaWNrL3gvR1RORDQyN0xGVEJJQ0tKTUNZQUxZS1FVQ1ZBSVQ1UVVDV1lENlozSkNBN0RFNVFNQ0U3SVQyM0tDNkJJQ0tRTENLQklFMlFVRjZBRDYyN0pDNlNEVjJKN0hFWUk1S0pZQ1dCSVQ1M0VDVE5DWUJaNTJL.PCFpHervFayBLKw2Qqeqp6dr88wLuzsnenu2THG4jRM%3D&amp;version=2" target="_blank" rel="sponsored noreferrer"><img src="/pimg/aHR0cHM6Ly9zdGF0aWM0LmJ1eXNlbGxhZHMubmV0L3V1LzIvMTU1MTUxLzE3MjYwNDc2NzctNTAwcHgtaGktZml2ZS1iYW5uZXIucG5n.b1zXpdxSNbekJYXxU%2BvzK4%2B7hoeJ6zHpyb3hxMGVpAo%3D" aria-hidden="false" alt="Scrimba and MDN partnership" width="125" height="125"><div class="content"><strong>Learn web development with MDN</strong><span>Limited time offer: get 30% discount on the frontend developer course we developed with Scrimba</span><span class="pong-cta external">Sign up now</span></div></a><a href="/en-US/advertising" class="pong-note" data-glean="pong: pong->about" target="_blank" rel="noreferrer">Ad</a></div><a class="no-pong" data-glean="pong: pong->plus" href="/en-US/plus?ref=nope#subscribe">Don't want to see ads?</a></section></div></div><main id="content" class="main-content  "><article class="main-page-content" lang="en-US"><header><h1>X-Frame-Options</h1></header><div class="section-content"><div class="notecard deprecated" id="sect1"><p><strong>Deprecated:</strong> This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the <a href="#browser_compatibility">compatibility table</a> at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.</p></div>
<div class="notecard warning" id="sect2">
  <p><strong>Warning:</strong> Instead of this header, use the <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"><code>frame-ancestors</code></a> directive in a <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a> header.</p>
</div>
<p>The <strong><code>X-Frame-Options</code></strong> <a href="/en-US/docs/Web/HTTP">HTTP</a> response header can be used to indicate whether a browser should be allowed to render a page in a <a href="/en-US/docs/Web/HTML/Element/frame"><code>&lt;frame&gt;</code></a>, <a href="/en-US/docs/Web/HTML/Element/iframe"><code>&lt;iframe&gt;</code></a>, <a href="/en-US/docs/Web/HTML/Element/embed"><code>&lt;embed&gt;</code></a> or <a href="/en-US/docs/Web/HTML/Element/object"><code>&lt;object&gt;</code></a>. Sites can use this to avoid <a href="/en-US/docs/Web/Security/Types_of_attacks#click-jacking">click-jacking</a> attacks, by ensuring that their content is not embedded into other sites.</p>
<p>The added security is provided only if the user accessing the document is using a browser that supports <code>X-Frame-Options</code>.</p>
<figure class="table-container"><table class="properties">
  <tbody>
    <tr>
      <th scope="row">Header type</th>
      <td><a href="/en-US/docs/Glossary/Response_header">Response header</a></td>
    </tr>
    <tr>
      <th scope="row"><a href="/en-US/docs/Glossary/Forbidden_header_name">Forbidden header name</a></th>
      <td>no</td>
    </tr>
  </tbody>
</table></figure></div><section aria-labelledby="syntax"><h2 id="syntax"><a href="#syntax">Syntax</a></h2><div class="section-content"><p>There are two possible directives for <code>X-Frame-Options</code>:</p>
<div class="code-example"><div class="example-header"><span class="language-name">http</span><button type="button" class="icon copy-icon"><span class="visually-hidden">Copy to Clipboard</span></button><span class="copy-icon-message visually-hidden" role="alert"></span></div><pre class="brush: http notranslate"><code><span class="token header"><span class="token header-name keyword">X-Frame-Options</span><span class="token punctuation">:</span> <span class="token header-value">DENY</span></span>
<span class="token header"><span class="token header-name keyword">X-Frame-Options</span><span class="token punctuation">:</span> <span class="token header-value">SAMEORIGIN</span></span>
</code></pre></div></div></section><section aria-labelledby="directives"><h3 id="directives"><a href="#directives">Directives</a></h3><div class="section-content"><p>If you specify <code>DENY</code>, not only will the browser attempt to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify <code>SAMEORIGIN</code>, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.</p>
<dl>
  <dt id="deny"><a href="#deny"><code>DENY</code></a></dt>
  <dd>
    <p>The page cannot be displayed in a frame, regardless of the site attempting to do so.</p>
  </dd>
  <dt id="sameorigin"><a href="#sameorigin"><code>SAMEORIGIN</code></a> <abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></dt>
  <dd>
    <p>The page can only be displayed if all ancestor frames are same origin to the page itself.</p>
  </dd>
  <dt id="allow-from_origin"><a href="#allow-from_origin"><code>ALLOW-FROM origin</code></a> <abbr class="icon icon-deprecated" title="Deprecated. Not for use in new websites.">
  <span class="visually-hidden">Deprecated</span>
</abbr></dt>
  <dd>
    <p>This is an obsolete directive. Modern browsers that encounter response headers with this directive will ignore the header completely. The <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a> HTTP header has a <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"><code>frame-ancestors</code></a> directive which you should use instead.</p>
  </dd>
</dl></div></section><section aria-labelledby="examples"><h2 id="examples"><a href="#examples">Examples</a></h2><div class="section-content"><div class="notecard warning" id="sect3">
  <p><strong>Warning:</strong> Setting <code>X-Frame-Options</code> inside the <a href="/en-US/docs/Web/HTML/Element/meta"><code>&lt;meta&gt;</code></a> element (e.g., <code>&lt;meta http-equiv="X-Frame-Options" content="deny"&gt;</code>) has no effect. <code>X-Frame-Options</code> is only enforced via HTTP headers, as shown in the examples below.</p>
</div></div></section><section aria-labelledby="configuring_apache"><h3 id="configuring_apache"><a href="#configuring_apache">Configuring Apache</a></h3><div class="section-content"><p>To configure Apache to send the <code>X-Frame-Options</code> header for all pages, add this to your site's configuration:</p>
<div class="code-example"><div class="example-header"><span class="language-name">apacheconf</span><button type="button" class="icon copy-icon"><span class="visually-hidden">Copy to Clipboard</span></button><span class="copy-icon-message visually-hidden" role="alert"></span></div><pre class="brush: apacheconf notranslate"><code><span class="token directive-inline property">Header</span> always set X-Frame-Options <span class="token string">"SAMEORIGIN"</span>
</code></pre></div>
<p>To configure Apache to set <code>X-Frame-Options</code> to <code>DENY</code>, add this to your site's configuration:</p>
<div class="code-example"><div class="example-header"><span class="language-name">apacheconf</span><button type="button" class="icon copy-icon"><span class="visually-hidden">Copy to Clipboard</span></button><span class="copy-icon-message visually-hidden" role="alert"></span></div><pre class="brush: apacheconf notranslate"><code><span class="token directive-inline property">Header</span> set X-Frame-Options <span class="token string">"DENY"</span>
</code></pre></div></div></section><section aria-labelledby="configuring_nginx"><h3 id="configuring_nginx"><a href="#configuring_nginx">Configuring Nginx</a></h3><div class="section-content"><p>To configure Nginx to send the <code>X-Frame-Options</code> header, add this either to your http, server or location configuration:</p>
<div class="code-example"><div class="example-header"><span class="language-name">nginx</span><button type="button" class="icon copy-icon"><span class="visually-hidden">Copy to Clipboard</span></button><span class="copy-icon-message visually-hidden" role="alert"></span></div><pre class="brush: nginx notranslate"><code><span class="token directive"><span class="token keyword">add_header</span> X-Frame-Options SAMEORIGIN always</span><span class="token punctuation">;</span>
</code></pre></div>
<p>You can set the <code>X-Frame-Options</code> header to <code>DENY</code> using:</p>
<div class="code-example"><div class="example-header"><span class="language-name">nginx</span><button type="button" class="icon copy-icon"><span class="visually-hidden">Copy to Clipboard</span></button><span class="copy-icon-message visually-hidden" role="alert"></span></div><pre class="brush: nginx notranslate"><code><span class="token directive"><span class="token keyword">add_header</span> X-Frame-Options DENY always</span><span class="token punctuation">;</span>
</code></pre></div></div></section><section aria-labelledby="configuring_iis"><h3 id="configuring_iis"><a href="#configuring_iis">Configuring IIS</a></h3><div class="section-content"><p>To configure IIS to send the <code>X-Frame-Options</code> header, add this to your site's <code>Web.config</code> file:</p>
<div class="code-example"><div class="example-header"><span class="language-name">xml</span><button type="button" class="icon copy-icon"><span class="visually-hidden">Copy to Clipboard</span></button><span class="copy-icon-message visually-hidden" role="alert"></span></div><pre class="brush: xml notranslate"><code><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>system.webServer</span><span class="token punctuation">&gt;</span></span>
  …
  <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>httpProtocol</span><span class="token punctuation">&gt;</span></span>
    <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>customHeaders</span><span class="token punctuation">&gt;</span></span>
      <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>add</span> <span class="token attr-name">name</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>X-Frame-Options<span class="token punctuation">"</span></span> <span class="token attr-name">value</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>SAMEORIGIN<span class="token punctuation">"</span></span> <span class="token punctuation">/&gt;</span></span>
    <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>customHeaders</span><span class="token punctuation">&gt;</span></span>
  <span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>httpProtocol</span><span class="token punctuation">&gt;</span></span>
  …
<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>system.webServer</span><span class="token punctuation">&gt;</span></span>
</code></pre></div>
<p>For more information, see the <a href="https://support.microsoft.com/en-US/office/mitigating-framesniffing-with-the-x-frame-options-header-1911411b-b51e-49fd-9441-e8301dcdcd79" class="external" target="_blank">Microsoft support article on setting this configuration using the IIS Manager</a> user interface.</p></div></section><section aria-labelledby="configuring_haproxy"><h3 id="configuring_haproxy"><a href="#configuring_haproxy">Configuring HAProxy</a></h3><div class="section-content"><p>To configure HAProxy to send the <code>X-Frame-Options</code> header, add this to your front-end, listen, or backend configuration:</p>
<pre class="brush: plain notranslate">rspadd X-Frame-Options:\ SAMEORIGIN
</pre>
<p>Alternatively, in newer versions:</p>
<pre class="brush: plain notranslate">http-response set-header X-Frame-Options SAMEORIGIN
</pre></div></section><section aria-labelledby="configuring_express"><h3 id="configuring_express"><a href="#configuring_express">Configuring Express</a></h3><div class="section-content"><p>To set <code>X-Frame-Options</code> to <code>SAMEORIGIN</code> using <a href="https://helmetjs.github.io/" class="external" target="_blank">Helmet</a> add the following to your server configuration:</p>
<div class="code-example"><div class="example-header"><span class="language-name">js</span><button type="button" class="icon copy-icon"><span class="visually-hidden">Copy to Clipboard</span></button><span class="copy-icon-message visually-hidden" role="alert"></span></div><pre class="brush: js notranslate"><code><span class="token keyword">const</span> helmet <span class="token operator">=</span> <span class="token function">require</span><span class="token punctuation">(</span><span class="token string">"helmet"</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
<span class="token keyword">const</span> app <span class="token operator">=</span> <span class="token function">express</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span>
app<span class="token punctuation">.</span><span class="token function">use</span><span class="token punctuation">(</span>
  <span class="token function">helmet</span><span class="token punctuation">(</span><span class="token punctuation">{</span>
    <span class="token literal-property property">xFrameOptions</span><span class="token operator">:</span> <span class="token punctuation">{</span> <span class="token literal-property property">action</span><span class="token operator">:</span> <span class="token string">"sameorigin"</span> <span class="token punctuation">}</span><span class="token punctuation">,</span>
  <span class="token punctuation">}</span><span class="token punctuation">)</span><span class="token punctuation">,</span>
<span class="token punctuation">)</span><span class="token punctuation">;</span>
</code></pre></div></div></section><h2 id="specifications"><a href="#specifications">Specifications</a></h2><table class="standard-table"><thead><tr><th scope="col">Specification</th></tr></thead><tbody><tr><td><a href="https://html.spec.whatwg.org/multipage/document-lifecycle.html#the-x-frame-options-header">HTML Standard<!-- --> <br><small># <!-- -->the-x-frame-options-header</small></a></td></tr></tbody></table><h2 id="browser_compatibility"><a href="#browser_compatibility">Browser compatibility</a></h2><a class="bc-github-link external external-icon" href="https://github.com/mdn/browser-compat-data/issues/new?mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FX-Frame-Options&amp;metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EMDN+page+report+details%3C%2Fsummary%3E%0A%0A*+Query%3A+%60http.headers.X-Frame-Options%60%0A*+Report+started%3A+2024-10-10T09%3A28%3A06.385Z%0A%0A%3C%2Fdetails%3E&amp;title=http.headers.X-Frame-Options+-+%3CSUMMARIZE+THE+PROBLEM%3E&amp;template=data-problem.yml" target="_blank" rel="noopener noreferrer" title="Report an issue with this compatibility data">Report problems with this compatibility data on GitHub</a><figure class="table-container"><figure class="table-container-inner"><table class="bc-table bc-table-web"><thead><tr class="bc-platforms"><td></td><th class="bc-platform bc-platform-desktop" colspan="5" title="desktop"><span class="icon icon-desktop"></span><span class="visually-hidden">desktop</span></th><th class="bc-platform bc-platform-mobile" colspan="7" title="mobile"><span class="icon icon-mobile"></span><span class="visually-hidden">mobile</span></th></tr><tr class="bc-browsers"><td></td><th class="bc-browser bc-browser-chrome"><div class="bc-head-txt-label bc-head-icon-chrome">Chrome</div><div class="bc-head-icon-symbol icon icon-chrome"></div></th><th class="bc-browser bc-browser-edge"><div class="bc-head-txt-label bc-head-icon-edge">Edge</div><div class="bc-head-icon-symbol icon icon-edge"></div></th><th class="bc-browser bc-browser-firefox"><div class="bc-head-txt-label bc-head-icon-firefox">Firefox</div><div class="bc-head-icon-symbol icon icon-simple-firefox"></div></th><th class="bc-browser bc-browser-opera"><div class="bc-head-txt-label bc-head-icon-opera">Opera</div><div class="bc-head-icon-symbol icon icon-opera"></div></th><th class="bc-browser bc-browser-safari"><div class="bc-head-txt-label bc-head-icon-safari">Safari</div><div class="bc-head-icon-symbol icon icon-safari"></div></th><th class="bc-browser bc-browser-chrome_android"><div class="bc-head-txt-label bc-head-icon-chrome_android">Chrome Android</div><div class="bc-head-icon-symbol icon icon-chrome"></div></th><th class="bc-browser bc-browser-firefox_android"><div class="bc-head-txt-label bc-head-icon-firefox_android">Firefox for Android</div><div class="bc-head-icon-symbol icon icon-simple-firefox"></div></th><th class="bc-browser bc-browser-opera_android"><div class="bc-head-txt-label bc-head-icon-opera_android">Opera Android</div><div class="bc-head-icon-symbol icon icon-opera"></div></th><th class="bc-browser bc-browser-safari_ios"><div class="bc-head-txt-label bc-head-icon-safari_ios">Safari on iOS</div><div class="bc-head-icon-symbol icon icon-safari"></div></th><th class="bc-browser bc-browser-samsunginternet_android"><div class="bc-head-txt-label bc-head-icon-samsunginternet_android">Samsung Internet</div><div class="bc-head-icon-symbol icon icon-samsunginternet"></div></th><th class="bc-browser bc-browser-webview_android"><div class="bc-head-txt-label bc-head-icon-webview_android">WebView Android</div><div class="bc-head-icon-symbol icon icon-webview"></div></th><th class="bc-browser bc-browser-webview_ios"><div class="bc-head-txt-label bc-head-icon-webview_ios">WebView on iOS</div><div class="bc-head-icon-symbol icon icon-webview"></div></th></tr></thead><tbody><tr><th class="bc-feature bc-feature-depth-0" scope="row"><div class="bc-table-row-header"><code>X-Frame-Options</code><div class="bc-icons" data-test="1"><abbr class="only-icon icon icon-deprecated" title="Deprecated. Not for use in new websites."><span>Deprecated</span></abbr></div></div></th><td class="bc-support bc-browser-chrome bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Chrome</span><span class="bc-version-label" title="Released 2010-01-25">4</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-edge bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Edge</span><span class="bc-version-label" title="Released 2015-07-29">12</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-firefox bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Firefox</span><span class="bc-version-label" title="Released 2011-03-22">4</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-opera bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Opera</span><span class="bc-version-label" title="Released 2010-03-02">10.5</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-safari bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Safari</span><span class="bc-version-label" title="Released 2009-06-08">4</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-chrome_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Chrome Android</span><span class="bc-version-label" title="Released 2012-06-27">18</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-firefox_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Firefox for Android</span><span class="bc-version-label" title="Released 2011-03-29">4</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-opera_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Opera Android</span><span class="bc-version-label" title="Released 2013-05-21">14</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-safari_ios bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Safari on iOS</span><span class="bc-version-label" title="Released 2010-04-03">3.2</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-samsunginternet_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Samsung Internet</span><span class="bc-version-label" title="Released 2013-04-27">1.0</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-webview_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">WebView Android</span><span class="bc-version-label" title="Released 2013-12-09">4.4</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-webview_ios bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">WebView on iOS</span><span class="bc-version-label" title="Released 2010-04-03">3.2</span></div></div><span class="offscreen">Toggle history</span></button></td></tr><tr><th class="bc-feature bc-feature-depth-1" scope="row"><div class="bc-table-row-header"><span>ALLOW-FROM</span><div class="bc-icons" data-test="2"><abbr class="only-icon icon icon-deprecated" title="Deprecated. Not for use in new websites."><span>Deprecated</span></abbr><abbr class="only-icon icon icon-nonstandard" title="Non-standard. Expect poor cross-browser support."><span>Non-standard</span></abbr></div></div></th><td class="bc-support bc-browser-chrome bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Chrome</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-edge bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Edge</span><span class="bc-version-label" title="Released 2015-07-29">12 – 18</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-firefox bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Firefox</span><span class="bc-version-label" title="Released 2013-01-08">18 – 69</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-opera bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Opera</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-safari bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Safari</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-chrome_android bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Chrome Android</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-firefox_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Firefox for Android</span><span class="bc-version-label" title="Released 2013-01-08">18</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-opera_android bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Opera Android</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-safari_ios bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Safari on iOS</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-samsunginternet_android bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Samsung Internet</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-webview_android bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">WebView Android</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-webview_ios bc-supports-no bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-no
              icon
              icon-no" title="No support"><span class="bc-support-level">No support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">WebView on iOS</span><span class="bc-version-label">No</span></div></div><span class="offscreen">Toggle history</span></button></td></tr><tr><th class="bc-feature bc-feature-depth-1" scope="row"><div class="bc-table-row-header"><span>SAMEORIGIN</span></div></th><td class="bc-support bc-browser-chrome bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Chrome</span><span class="bc-version-label" title="Released 2010-01-25">4</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-edge bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Edge</span><span class="bc-version-label" title="Released 2015-07-29">12</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-firefox bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Firefox</span><span class="bc-version-label" title="Released 2011-03-22">4</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-opera bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Opera</span><span class="bc-version-label" title="Released 2013-07-02">15</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-safari bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Safari</span><span class="bc-version-label" title="Released 2009-06-08">4</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-chrome_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Chrome Android</span><span class="bc-version-label" title="Released 2012-06-27">18</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-firefox_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Firefox for Android</span><span class="bc-version-label" title="Released 2011-03-29">4</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-opera_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Opera Android</span><span class="bc-version-label" title="Released 2013-05-21">14</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-safari_ios bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Safari on iOS</span><span class="bc-version-label" title="Released 2010-04-03">3.2</span></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-samsunginternet_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">Samsung Internet</span><span class="bc-version-label" title="Released 2013-04-27">1.0</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-webview_android bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">WebView Android</span><span class="bc-version-label" title="Released 2013-12-09">4.4</span></div><div class="bc-icons"><abbr class="only-icon" title="See implementation notes."><span>footnote</span><i class="icon icon-footnote"></i></abbr></div></div><span class="offscreen">Toggle history</span></button></td><td class="bc-support bc-browser-webview_ios bc-supports-yes bc-has-history" aria-expanded="false"><button type="button" title="Toggle history"><div class="bcd-cell-text-wrapper"><div class="bcd-cell-icons"><span class="icon-wrap"><abbr class="
              bc-level-yes
              icon
              icon-yes" title="Full support"><span class="bc-support-level">Full support</span></abbr></span></div><div class="bcd-cell-text-copy"><span class="bc-browser-name">WebView on iOS</span><span class="bc-version-label" title="Released 2010-04-03">3.2</span></div></div><span class="offscreen">Toggle history</span></button></td></tr></tbody></table></figure></figure><section class="bc-legend"><h3 class="visually-hidden" id="Legend">Legend</h3><p class="bc-legend-tip">Tip: you can click/tap on a cell for more information.</p><dl class="bc-legend-items-container"><div class="bc-legend-item"><dt class="bc-legend-item-dt"><span class="bc-supports-yes bc-supports"><abbr class="bc-level bc-level-yes icon icon-yes" title="Full support"><span class="visually-hidden">Full support</span></abbr></span></dt><dd class="bc-legend-item-dd">Full support</dd></div><div class="bc-legend-item"><dt class="bc-legend-item-dt"><span class="bc-supports-no bc-supports"><abbr class="bc-level bc-level-no icon icon-no" title="No support"><span class="visually-hidden">No support</span></abbr></span></dt><dd class="bc-legend-item-dd">No support</dd></div><div class="bc-legend-item"><dt class="bc-legend-item-dt"><abbr class="legend-icons icon icon-nonstandard" title="Non-standard. Check cross-browser support before using."></abbr></dt><dd class="bc-legend-item-dd">Non-standard. Check cross-browser support before using.</dd></div><div class="bc-legend-item"><dt class="bc-legend-item-dt"><abbr class="legend-icons icon icon-deprecated" title="Deprecated. Not for use in new websites."></abbr></dt><dd class="bc-legend-item-dd">Deprecated. Not for use in new websites.</dd></div><div class="bc-legend-item"><dt class="bc-legend-item-dt"><abbr class="legend-icons icon icon-footnote" title="See implementation notes."></abbr></dt><dd class="bc-legend-item-dd">See implementation notes.</dd></div></dl></section><div class="hidden">The compatibility table on this page is generated from structured data. If you'd like to contribute to the data, please check out <a href="https://github.com/mdn/browser-compat-data">https://github.com/mdn/browser-compat-data</a> and send us a pull request.</div><section aria-labelledby="see_also"><h2 id="see_also"><a href="#see_also">See also</a></h2><div class="section-content"><ul>
  <li><a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy"><code>Content-Security-Policy</code></a> directive <a href="/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors"><code>frame-ancestors</code></a></li>
  <li><a href="https://learn.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-vii-clickjacking-defenses" class="external" target="_blank">ClickJacking Defenses - IEBlog</a></li>
  <li><a href="https://learn.microsoft.com/en-us/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options" class="external" target="_blank">Combating ClickJacking with X-Frame-Options - IEInternals</a></li>
</ul></div></section></article><aside class="article-footer"><div class="article-footer-inner"><div class="svg-container"><svg xmlns="http://www.w3.org/2000/svg" width="162" height="162" viewBox="0 0 162 162" fill="none" role="none"><mask id="b" fill="#fff"><path d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z"></path></mask><path stroke="url(#a)" stroke-dasharray="6, 6" stroke-width="2" d="M97.203 47.04c8.113-7.886 18.004-13.871 28.906-17.492a78 78 0 0 1 33.969-3.39c11.443 1.39 22.401 5.295 32.024 11.411s17.656 14.28 23.476 23.86c5.819 9.579 9.269 20.318 10.083 31.385a69.85 69.85 0 0 1-5.387 32.44c-4.358 10.272-11.115 19.443-19.747 26.801-8.632 7.359-18.908 12.709-30.034 15.637l-6.17-21.698c7.666-2.017 14.746-5.703 20.694-10.773 5.948-5.071 10.603-11.389 13.606-18.467a48.14 48.14 0 0 0 3.712-22.352c-.561-7.625-2.938-15.025-6.948-21.625s-9.544-12.226-16.175-16.44-14.181-6.904-22.065-7.863a53.75 53.75 0 0 0-23.405 2.336c-7.513 2.495-14.327 6.62-19.918 12.053z" mask="url(#b)" style="stroke:url(#a)" transform="translate(-63.992 -25.587)"></path><ellipse cx="8.066" cy="111.597" fill="var(--background-tertiary)" rx="53.677" ry="53.699" transform="matrix(.71707 -.697 .7243 .6895 0 0)"></ellipse><g clip-path="url(#c)" transform="translate(-63.992 -25.587)"><path fill="#9abff5" d="m144.256 137.379 32.906 12.434a4.41 4.41 0 0 1 2.559 5.667l-9.326 24.679a4.41 4.41 0 0 1-5.667 2.559l-8.226-3.108-2.332 6.17c-.466 1.233-.375 1.883-1.609 1.417l-2.253-.527c-.411-.155-.95-.594-1.206-1.161l-4.734-10.484-12.545-4.741a4.41 4.41 0 0 1-2.559-5.667l9.325-24.679a4.41 4.41 0 0 1 5.667-2.559m9.961 29.617 8.227 3.108 3.264-8.638-.498-6.768-4.113-1.555.548 7.258-4.319-1.632zm-12.339-4.663 8.226 3.108 3.264-8.637-.498-6.769-4.113-1.554.548 7.257-4.319-1.632z"></path></g><g clip-path="url(#d)" transform="translate(-63.992 -25.587)"><path fill="#81b0f3" d="M135.35 60.136 86.67 41.654c-3.346-1.27-7.124.428-8.394 3.775L64.414 81.938c-1.27 3.347.428 7.125 3.774 8.395l12.17 4.62-3.465 9.128c-.693 1.826-1.432 2.457.394 3.15l3.014 1.625c.609.231 1.637.274 2.477-.104l15.53-6.983 18.56 7.047c3.346 1.27 7.124-.428 8.395-3.775l13.862-36.51c1.27-3.346-.428-7.124-3.775-8.395M95.261 83.207l-12.17-4.62 4.852-12.779 7.19-7.017 6.085 2.31-7.725 7.51 6.389 2.426zm18.255 6.93-12.17-4.62 4.852-12.778 7.189-7.017 6.085 2.31-7.725 7.51 6.39 2.426z"></path></g><defs><clipPath id="c"><path fill="#fff" d="m198.638 146.586-65.056-24.583-24.583 65.057 65.056 24.582z"></path></clipPath><clipPath id="d"><path fill="#fff" d="m66.438 14.055 96.242 36.54-36.54 96.243-96.243-36.54z"></path></clipPath><linearGradient id="a" x1="97.203" x2="199.995" y1="47.04" y2="152.793" gradientUnits="userSpaceOnUse"><stop stop-color="#086DFC"></stop><stop offset="0.246" stop-color="#2C81FA"></stop><stop offset="0.516" stop-color="#5497F8"></stop><stop offset="0.821" stop-color="#80B0F6"></stop><stop offset="1" stop-color="#9ABFF5"></stop></linearGradient></defs></svg></div><h2>Help improve MDN</h2><fieldset class="feedback"><label>Was this page helpful to you?</label><div class="button-container"><button type="button" class="button primary has-icon yes"><span class="button-wrap"><span class="icon icon-thumbs-up "></span>Yes</span></button><button type="button" class="button primary has-icon no"><span class="button-wrap"><span class="icon icon-thumbs-down "></span>No</span></button></div></fieldset><a class="contribute" href="https://github.com/mdn/content/blob/main/CONTRIBUTING.md" title="This will take you to our contribution guidelines on GitHub." target="_blank" rel="noopener noreferrer">Learn how to contribute</a>.<p class="last-modified-date">This page was last modified on<!-- --> <time datetime="2024-09-25T05:13:31.000Z">Sep 25, 2024</time> by<!-- --> <a href="/en-US/docs/Web/HTTP/Headers/X-Frame-Options/contributors.txt" rel="nofollow">MDN contributors</a>.</p><div id="on-github" class="on-github"><a href="https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/x-frame-options/index.md?plain=1" title="Folder: en-us/web/http/headers/x-frame-options (Opens in a new tab)" target="_blank" rel="noopener noreferrer">View this page on GitHub</a> <!-- -->•<!-- --> <a href="https://github.com/mdn/content/issues/new?template=page-report.yml&amp;mdn-url=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FX-Frame-Options&amp;metadata=%3C%21--+Do+not+make+changes+below+this+line+--%3E%0A%3Cdetails%3E%0A%3Csummary%3EPage+report+details%3C%2Fsummary%3E%0A%0A*+Folder%3A+%60en-us%2Fweb%2Fhttp%2Fheaders%2Fx-frame-options%60%0A*+MDN+URL%3A+https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FX-Frame-Options%0A*+GitHub+URL%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fblob%2Fmain%2Ffiles%2Fen-us%2Fweb%2Fhttp%2Fheaders%2Fx-frame-options%2Findex.md%0A*+Last+commit%3A+https%3A%2F%2Fgithub.com%2Fmdn%2Fcontent%2Fcommit%2F2b44e3e665ceb5f4336089695aa5f617b1baf33c%0A*+Document+last+modified%3A+2024-09-25T05%3A13%3A31.000Z%0A%0A%3C%2Fdetails%3E" title="This will take you to GitHub to file a new issue." target="_blank" rel="noopener noreferrer">Report a problem with this content</a></div></div></aside></main></div><div class="bottom-banner-container" style="--place-bottom-banner-background: #181422; --place-bottom-banner-color: #000000;"><section class="place bottom-banner"><a class="pong" data-glean="pong: pong->click bottom-banner" href="/pong/click?code=aHR0cHM6Ly9zcnYuYnV5c2VsbGFkcy5jb20vYWRzL2NsaWNrL3gvR1RORDQyN0xGVEJJQzJKV0NBU0xZS1FVQ1ZBSVQ1UVVDVlNENlozSkNBN0RFNVFNQ0tTRFYySktDNkJJQ0tRTENLQklFMlFVRjZBRDYyN0pDNlNEVjJKN0hFWUk1S0pZQ1dCSVQ1M0VDVE5DWUJaNTJL.qiVRkZBpjyb4UZyOPfPgHHoh2d9xT8pzFRvT%2FJbaNqY%3D&amp;version=2" target="_blank" rel="sponsored noreferrer"><img src="/pimg/aHR0cHM6Ly9zdGF0aWM0LmJ1eXNlbGxhZHMubmV0L3V1LzIvMTU0ODUwLzE3MjUwNDUzMjAtMTQ1NngxODBfQS5wbmc%3D.gQddojNaSIEGMqbwfPHt8WRmseAFkInV23TWc4LtSsY%3D" alt="Gitlab" width="728" height="90"></a><a href="/en-US/advertising" class="pong-note" data-glean="pong: pong->about" target="_blank" rel="noreferrer">Mozilla ads</a><a class="no-pong" data-glean="pong: pong->plus" href="/en-US/plus?ref=nope#subscribe">Don't want to see ads?</a></section></div></div><footer id="nav-footer" class="page-footer"><div class="page-footer-grid"><div class="page-footer-logo-col"><a href="/" class="mdn-footer-logo" aria-label="MDN homepage"><svg width="48" height="17" viewBox="0 0 48 17" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mdn-footer-logo-svg">MDN logo</title><path d="M20.04 16.512H15.504V10.416C15.504 9.488 15.344 8.824 15.024 8.424C14.72 8.024 14.264 7.824 13.656 7.824C12.92 7.824 12.384 8.064 12.048 8.544C11.728 9.024 11.568 9.64 11.568 10.392V14.184H13.008V16.512H8.472V10.416C8.472 9.488 8.312 8.824 7.992 8.424C7.688 8.024 7.232 7.824 6.624 7.824C5.872 7.824 5.336 8.064 5.016 8.544C4.696 9.024 4.536 9.64 4.536 10.392V14.184H6.6V16.512H0V14.184H1.44V8.04H0.024V5.688H4.536V7.32C5.224 6.088 6.32 5.472 7.824 5.472C8.608 5.472 9.328 5.664 9.984 6.048C10.64 6.432 11.096 7.016 11.352 7.8C11.992 6.248 13.168 5.472 14.88 5.472C15.856 5.472 16.72 5.776 17.472 6.384C18.224 6.992 18.6 7.936 18.6 9.216V14.184H20.04V16.512Z" fill="currentColor"></path><path d="M33.6714 16.512H29.1354V14.496C28.8314 15.12 28.3834 15.656 27.7914 16.104C27.1994 16.536 26.4154 16.752 25.4394 16.752C24.0154 16.752 22.8954 16.264 22.0794 15.288C21.2634 14.312 20.8554 12.984 20.8554 11.304C20.8554 9.688 21.2554 8.312 22.0554 7.176C22.8554 6.04 24.0634 5.472 25.6794 5.472C26.5594 5.472 27.2794 5.648 27.8394 6C28.3994 6.352 28.8314 6.8 29.1354 7.344V2.352H26.9754V0H32.2314V14.184H33.6714V16.512ZM29.1354 11.04V10.776C29.1354 9.88 28.8954 9.184 28.4154 8.688C27.9514 8.176 27.3674 7.92 26.6634 7.92C25.9754 7.92 25.3674 8.176 24.8394 8.688C24.3274 9.2 24.0714 10.008 24.0714 11.112C24.0714 12.152 24.3114 12.944 24.7914 13.488C25.2714 14.032 25.8394 14.304 26.4954 14.304C27.3114 14.304 27.9514 13.96 28.4154 13.272C28.8954 12.584 29.1354 11.84 29.1354 11.04Z" fill="currentColor"></path><path d="M47.9589 16.512H41.9829V14.184H43.4229V10.416C43.4229 9.488 43.2629 8.824 42.9429 8.424C42.6389 8.024 42.1829 7.824 41.5749 7.824C40.8389 7.824 40.2709 8.056 39.8709 8.52C39.4709 8.968 39.2629 9.56 39.2469 10.296V14.184H40.6869V16.512H34.7109V14.184H36.1509V8.04H34.5909V5.688H39.2469V7.344C39.9669 6.096 41.1269 5.472 42.7269 5.472C43.7509 5.472 44.6389 5.776 45.3909 6.384C46.1429 6.992 46.5189 7.936 46.5189 9.216V14.184H47.9589V16.512Z" fill="currentColor"></path></svg></a><p>Your blueprint for a better internet.</p><ul class="social-icons"><li><a href="https://mozilla.social/@mdn" target="_blank" rel="me noopener noreferrer"><span class="icon icon-mastodon"></span><span class="visually-hidden">MDN on Mastodon</span></a></li><li><a href="https://twitter.com/mozdevnet" target="_blank" rel="noopener noreferrer"><span class="icon icon-twitter-x"></span><span class="visually-hidden">MDN on X (formerly Twitter)</span></a></li><li><a href="https://github.com/mdn/" target="_blank" rel="noopener noreferrer"><span class="icon icon-github-mark-small"></span><span class="visually-hidden">MDN on GitHub</span></a></li><li><a href="/en-US/blog/rss.xml" target="_blank"><span class="icon icon-feed"></span><span class="visually-hidden">MDN Blog RSS Feed</span></a></li></ul></div><div class="page-footer-nav-col-1"><h2 class="footer-nav-heading">MDN</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a href="/en-US/about">About</a></li><li class="footer-nav-item"><a href="/en-US/blog/">Blog</a></li><li class="footer-nav-item"><a href="https://www.mozilla.org/en-US/careers/listings/?team=ProdOps" target="_blank" rel="noopener noreferrer">Careers</a></li><li class="footer-nav-item"><a href="/en-US/advertising">Advertise with us</a></li></ul></div><div class="page-footer-nav-col-2"><h2 class="footer-nav-heading">Support</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="https://support.mozilla.org/products/mdn-plus">Product help</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/MDN/Community/Issues">Report an issue</a></li></ul></div><div class="page-footer-nav-col-3"><h2 class="footer-nav-heading">Our communities</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/community">MDN Community</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="https://discourse.mozilla.org/c/mdn/236" target="_blank" rel="noopener noreferrer">MDN Forum</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/discord" target="_blank" rel="noopener noreferrer">MDN Chat</a></li></ul></div><div class="page-footer-nav-col-4"><h2 class="footer-nav-heading">Developers</h2><ul class="footer-nav-list"><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Web">Web Technologies</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/docs/Learn">Learn Web Development</a></li><li class="footer-nav-item"><a class="footer-nav-link" href="/en-US/plus">MDN Plus</a></li><li class="footer-nav-item"><a href="https://hacks.mozilla.org/" target="_blank" rel="noopener noreferrer">Hacks Blog</a></li></ul></div><div class="page-footer-moz"><a href="https://www.mozilla.org/" class="footer-moz-logo-link" target="_blank" rel="noopener noreferrer"><svg width="112" height="32" fill="none" xmlns="http://www.w3.org/2000/svg"><title id="mozilla-footer-logo-svg">Mozilla logo</title><path d="M41.753 14.218c-2.048 0-3.324 1.522-3.324 4.157 0 2.423 1.119 4.286 3.29 4.286 2.082 0 3.447-1.678 3.447-4.347 0-2.826-1.522-4.096-3.413-4.096Zm54.89 7.044c0 .901.437 1.618 1.645 1.618 1.427 0 2.949-1.024 3.044-3.352-.649-.095-1.365-.185-2.02-.185-1.426-.005-2.668.397-2.668 1.92Z" fill="currentColor"></path><path d="M0 0v32h111.908V0H0Zm32.56 25.426h-5.87v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h1.864v3.044h-5.864v-7.884c0-2.423-.806-3.352-2.39-3.352-1.924 0-2.702 1.365-2.702 3.324v4.868h2.669v3.044H6.642v-3.044h1.863v-7.918H6.642V11.42h5.864v2.11c.839-1.489 2.3-2.39 4.252-2.39 2.02 0 3.878.963 4.566 3.01.778-1.862 2.361-3.01 4.566-3.01 2.512 0 4.812 1.522 4.812 4.84v6.402h1.863v3.044h-.005Zm9.036.307c-4.314 0-7.296-2.635-7.296-7.106 0-4.096 2.484-7.481 7.514-7.481s7.481 3.38 7.481 7.29c0 4.472-3.228 7.297-7.699 7.297Zm22.578-.307H51.942l-.403-2.11 7.7-8.846h-4.376l-.621 2.17-2.888-.313.498-4.907h12.294l.313 2.11-7.767 8.852h4.533l.654-2.172 3.167.308-.872 4.908Zm7.99 0h-4.191v-5.03h4.19v5.03Zm0-8.976h-4.191v-5.03h4.19v5.03Zm2.618 8.976 6.054-21.358h3.945l-6.054 21.358h-3.945Zm8.136 0 6.048-21.358h3.945l-6.054 21.358h-3.939Zm21.486.307c-1.863 0-2.887-1.085-3.072-2.792-.805 1.427-2.232 2.792-4.498 2.792-2.02 0-4.314-1.085-4.314-4.006 0-3.447 3.323-4.253 6.518-4.253.778 0 1.584.034 2.3.124v-.465c0-1.427-.034-3.133-2.3-3.133-.84 0-1.488.061-2.143.402l-.453 1.578-3.195-.34.549-3.224c2.45-.996 3.692-1.27 5.992-1.27 3.01 0 5.556 1.55 5.556 4.75v6.083c0 .805.314 1.085.963 1.085.184 0 .375-.034.587-.095l.034 2.11a5.432 5.432 0 0 1-2.524.654Z" fill="currentColor"></path></svg></a><ul class="footer-moz-list"><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Website Privacy Notice</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/privacy/websites/#cookies" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Cookies</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/legal/terms/mozilla" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Legal</a></li><li class="footer-moz-item"><a href="https://www.mozilla.org/about/governance/policies/participation/" class="footer-moz-link" target="_blank" rel="noopener noreferrer">Community Participation Guidelines</a></li></ul></div><div class="page-footer-legal"><p id="license" class="page-footer-legal-text">Visit<!-- --> <a href="https://www.mozilla.org" target="_blank" rel="noopener noreferrer">Mozilla Corporation’s</a> <!-- -->not-for-profit parent, the<!-- --> <a target="_blank" rel="noopener noreferrer" href="https://foundation.mozilla.org/">Mozilla Foundation</a>.<br>Portions of this content are ©1998–<!-- -->2024<!-- --> by individual mozilla.org contributors. Content available under<!-- --> <a href="/en-US/docs/MDN/Writing_guidelines/Attrib_copyright_license">a Creative Commons license</a>.</p></div></div></footer></div><script type="application/json" id="hydration">{"url":"/en-US/docs/Web/HTTP/Headers/X-Frame-Options","doc":{"isMarkdown":true,"isTranslated":false,"isActive":true,"flaws":{},"title":"X-Frame-Options","mdn_url":"/en-US/docs/Web/HTTP/Headers/X-Frame-Options","locale":"en-US","native":"English (US)","browserCompat":["http.headers.X-Frame-Options"],"sidebarHTML":"\n  <ol>\n    <li class=\"section\"><a href=\"/en-US/docs/Web/HTTP\">HTTP</a></li>\n    <li class=\"section no-link\">Guides</li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Overview\">An overview of HTTP</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Session\">A typical HTTP session</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Messages\">HTTP Messages</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/MIME_types\">MIME types (IANA media types)</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Compression\">Compression in HTTP</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Caching\">HTTP caching</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Authentication\">HTTP authentication</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Cookies\">Using HTTP cookies</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Redirections\">Redirections in HTTP</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Conditional_requests\">HTTP conditional requests</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Range_requests\">HTTP range requests</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Content_negotiation\">Content negotiation</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Connection_management_in_HTTP_1.x\">Connection management in HTTP/1.x</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Evolution_of_HTTP\">Evolution of HTTP</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Protocol_upgrade_mechanism\">Protocol upgrade mechanism</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Proxy_servers_and_tunneling\">Proxy servers and tunneling</a></li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Client_hints\">HTTP Client hints</a></li>\n    <li class=\"toggle\">\n      <details>\n        <summary>Security and privacy</summary>\n        <ol>\n          <li><a href=\"/en-US/docs/Web/Security/Practical_implementation_guides\">Practical security implementation guides</a></li>\n          <li><a href=\"/en-US/observatory\">HTTP Observatory</a></li>\n          <li><a href=\"/en-US/docs/Web/HTTP/Permissions_Policy\">Permissions Policy</a></li>\n          <li><a href=\"/en-US/docs/Web/HTTP/CSP\">Content Security Policy (CSP)</a></li>\n          <li><a href=\"/en-US/docs/Web/HTTP/CORS\">Cross-Origin Resource Sharing (CORS)</a></li>\n          <li><a href=\"/en-US/docs/Web/HTTP/Cross-Origin_Resource_Policy\">Cross-Origin Resource Policy (CORP)</a></li>\n          <li><a href=\"/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\">Strict-Transport-Security</a></li>\n        </ol>\n      </details>\n    </li>\n    <li class=\"section no-link\">References</li>\n    <li class=\"toggle\">\n      <details open=\"\">\n        <summary>HTTP headers</summary>\n        <ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept\"><code>Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-CH\"><code>Accept-CH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Charset\"><code>Accept-Charset</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Encoding\"><code>Accept-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Language\"><code>Accept-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Patch\"><code>Accept-Patch</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Post\"><code>Accept-Post</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Accept-Ranges\"><code>Accept-Ranges</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials\"><code>Access-Control-Allow-Credentials</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers\"><code>Access-Control-Allow-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods\"><code>Access-Control-Allow-Methods</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin\"><code>Access-Control-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers\"><code>Access-Control-Expose-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age\"><code>Access-Control-Max-Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers\"><code>Access-Control-Request-Headers</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method\"><code>Access-Control-Request-Method</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Age\"><code>Age</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Allow\"><code>Allow</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Svc\"><code>Alt-Svc</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Alt-Used\"><code>Alt-Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Eligible\"><code>Attribution-Reporting-Eligible</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Source\"><code>Attribution-Reporting-Register-Source</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Attribution-Reporting-Register-Trigger\"><code>Attribution-Reporting-Register-Trigger</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Authorization\"><code>Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cache-Control\"><code>Cache-Control</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Clear-Site-Data\"><code>Clear-Site-Data</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Connection\"><code>Connection</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Digest\"><code>Content-Digest</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Disposition\"><code>Content-Disposition</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-DPR\"><code>Content-DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Encoding\"><code>Content-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Language\"><code>Content-Language</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Length\"><code>Content-Length</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Location\"><code>Content-Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Range\"><code>Content-Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"><code>Content-Security-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy-Report-Only\"><code>Content-Security-Policy-Report-Only</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Type\"><code>Content-Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cookie\"><code>Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Critical-CH\"><code>Critical-CH</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy\"><code>Cross-Origin-Embedder-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy\"><code>Cross-Origin-Opener-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy\"><code>Cross-Origin-Resource-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Date\"><code>Date</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Device-Memory\"><code>Device-Memory</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Digest\"><code>Digest</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DNT\"><code>DNT</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Downlink\"><code>Downlink</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/DPR\"><code>DPR</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Early-Data\"><code>Early-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ECT\"><code>ECT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/ETag\"><code>ETag</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect\"><code>Expect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expect-CT\"><code>Expect-CT</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Expires\"><code>Expires</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Forwarded\"><code>Forwarded</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/From\"><code>From</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Host\"><code>Host</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Match\"><code>If-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Modified-Since\"><code>If-Modified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-None-Match\"><code>If-None-Match</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Range\"><code>If-Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/If-Unmodified-Since\"><code>If-Unmodified-Since</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Keep-Alive\"><code>Keep-Alive</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Last-Modified\"><code>Last-Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Link\"><code>Link</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Location\"><code>Location</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Max-Forwards\"><code>Max-Forwards</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/NEL\"><code>NEL</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/No-Vary-Search\"><code>No-Vary-Search</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Observe-Browsing-Topics\"><code>Observe-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin\"><code>Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Origin-Agent-Cluster\"><code>Origin-Agent-Cluster</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy\"><code>Permissions-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Pragma\"><code>Pragma</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Priority\"><code>Priority</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authenticate\"><code>Proxy-Authenticate</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Proxy-Authorization\"><code>Proxy-Authorization</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Range\"><code>Range</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referer\"><code>Referer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Referrer-Policy\"><code>Referrer-Policy</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Refresh\"><code>Refresh</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Report-To\"><code>Report-To</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Reporting-Endpoints\"><code>Reporting-Endpoints</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Repr-Digest\"><code>Repr-Digest</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Retry-After\"><code>Retry-After</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/RTT\"><code>RTT</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Save-Data\"><code>Save-Data</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Browsing-Topics\"><code>Sec-Browsing-Topics</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Color-Scheme\"><code>Sec-CH-Prefers-Color-Scheme</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Motion\"><code>Sec-CH-Prefers-Reduced-Motion</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-Prefers-Reduced-Transparency\"><code>Sec-CH-Prefers-Reduced-Transparency</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA\"><code>Sec-CH-UA</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Arch\"><code>Sec-CH-UA-Arch</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Bitness\"><code>Sec-CH-UA-Bitness</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version\"><code>Sec-CH-UA-Full-Version</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Full-Version-List\"><code>Sec-CH-UA-Full-Version-List</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Mobile\"><code>Sec-CH-UA-Mobile</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Model\"><code>Sec-CH-UA-Model</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform\"><code>Sec-CH-UA-Platform</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-CH-UA-Platform-Version\"><code>Sec-CH-UA-Platform-Version</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Dest\"><code>Sec-Fetch-Dest</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Mode\"><code>Sec-Fetch-Mode</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-Site\"><code>Sec-Fetch-Site</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Fetch-User\"><code>Sec-Fetch-User</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-GPC\"><code>Sec-GPC</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-Purpose\"><code>Sec-Purpose</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Accept\"><code>Sec-WebSocket-Accept</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Extensions\"><code>Sec-WebSocket-Extensions</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Key\"><code>Sec-WebSocket-Key</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Protocol\"><code>Sec-WebSocket-Protocol</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Sec-WebSocket-Version\"><code>Sec-WebSocket-Version</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server\"><code>Server</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Server-Timing\"><code>Server-Timing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Service-Worker-Navigation-Preload\"><code>Service-Worker-Navigation-Preload</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Cookie\"><code>Set-Cookie</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Set-Login\"><code>Set-Login</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/SourceMap\"><code>SourceMap</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Speculation-Rules\"><code>Speculation-Rules</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security\"><code>Strict-Transport-Security</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Supports-Loading-Mode\"><code>Supports-Loading-Mode</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/TE\"><code>TE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Timing-Allow-Origin\"><code>Timing-Allow-Origin</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Tk\"><code>Tk</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Trailer\"><code>Trailer</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Transfer-Encoding\"><code>Transfer-Encoding</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade\"><code>Upgrade</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Upgrade-Insecure-Requests\"><code>Upgrade-Insecure-Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/User-Agent\"><code>User-Agent</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Vary\"><code>Vary</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Via\"><code>Via</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Viewport-Width\"><code>Viewport-Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Content-Digest\"><code>Want-Content-Digest</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Digest\"><code>Want-Digest</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Want-Repr-Digest\"><code>Want-Repr-Digest</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Warning\"><code>Warning</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Width\"><code>Width</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/WWW-Authenticate\"><code>WWW-Authenticate</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options\"><code>X-Content-Type-Options</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-DNS-Prefetch-Control\"><code>X-DNS-Prefetch-Control</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-For\"><code>X-Forwarded-For</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Host\"><code>X-Forwarded-Host</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto\"><code>X-Forwarded-Proto</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><em><a href=\"/en-US/docs/Web/HTTP/Headers/X-Frame-Options\" aria-current=\"page\"><code>X-Frame-Options</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></em></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/X-XSS-Protection\"><code>X-XSS-Protection</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li></ol>\n      </details>\n    </li>\n    <li class=\"toggle\">\n      <details>\n        <summary>HTTP request methods</summary>\n        <ol><li><a href=\"/en-US/docs/Web/HTTP/Methods/CONNECT\"><code>CONNECT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/DELETE\"><code>DELETE</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/GET\"><code>GET</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/HEAD\"><code>HEAD</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/OPTIONS\"><code>OPTIONS</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PATCH\"><code>PATCH</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/POST\"><code>POST</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/PUT\"><code>PUT</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Methods/TRACE\"><code>TRACE</code></a></li></ol>\n      </details>\n    </li>\n    <li class=\"toggle\">\n      <details>\n        <summary>HTTP response status codes</summary>\n        <ol><li><a href=\"/en-US/docs/Web/HTTP/Status/100\"><code>100 Continue</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/101\"><code>101 Switching Protocols</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/102\"><code>102 Processing</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/103\"><code>103 Early Hints</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/200\"><code>200 OK</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/201\"><code>201 Created</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/202\"><code>202 Accepted</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/203\"><code>203 Non-Authoritative Information</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/204\"><code>204 No Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/205\"><code>205 Reset Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/206\"><code>206 Partial Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/207\"><code>207 Multi-Status</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/208\"><code>208 Already Reported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/226\"><code>226 IM Used</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/300\"><code>300 Multiple Choices</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/301\"><code>301 Moved Permanently</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/302\"><code>302 Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/303\"><code>303 See Other</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/304\"><code>304 Not Modified</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/307\"><code>307 Temporary Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/308\"><code>308 Permanent Redirect</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/400\"><code>400 Bad Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/401\"><code>401 Unauthorized</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/402\"><code>402 Payment Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/403\"><code>403 Forbidden</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/404\"><code>404 Not Found</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/405\"><code>405 Method Not Allowed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/406\"><code>406 Not Acceptable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/407\"><code>407 Proxy Authentication Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/408\"><code>408 Request Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/409\"><code>409 Conflict</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/410\"><code>410 Gone</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/411\"><code>411 Length Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/412\"><code>412 Precondition Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/413\"><code>413 Content Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/414\"><code>414 URI Too Long</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/415\"><code>415 Unsupported Media Type</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/416\"><code>416 Range Not Satisfiable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/417\"><code>417 Expectation Failed</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/418\"><code>418 I'm a teapot</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/421\"><code>421 Misdirected Request</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/422\"><code>422 Unprocessable Content</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/423\"><code>423 Locked</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/424\"><code>424 Failed Dependency</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/425\"><code>425 Too Early</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/426\"><code>426 Upgrade Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/428\"><code>428 Precondition Required</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/429\"><code>429 Too Many Requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/431\"><code>431 Request Header Fields Too Large</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/451\"><code>451 Unavailable For Legal Reasons</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/500\"><code>500 Internal Server Error</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/501\"><code>501 Not Implemented</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/502\"><code>502 Bad Gateway</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/503\"><code>503 Service Unavailable</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/504\"><code>504 Gateway Timeout</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/505\"><code>505 HTTP Version Not Supported</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/506\"><code>506 Variant Also Negotiates</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/507\"><code>507 Insufficient Storage</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/508\"><code>508 Loop Detected</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/510\"><code>510 Not Extended</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Status/511\"><code>511 Network Authentication Required</code></a></li></ol>\n      </details>\n    </li>\n    <li class=\"toggle\">\n      <details>\n        <summary>CSP directives</summary>\n        <ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/Sources\"><code>CSP source values</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/base-uri\"><code>CSP: base-uri</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/block-all-mixed-content\"><code>CSP: block-all-mixed-content</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/child-src\"><code>CSP: child-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/connect-src\"><code>CSP: connect-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/default-src\"><code>CSP: default-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/fenced-frame-src\"><code>CSP: fenced-frame-src</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/font-src\"><code>CSP: font-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/form-action\"><code>CSP: form-action</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>CSP: frame-ancestors</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-src\"><code>CSP: frame-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/img-src\"><code>CSP: img-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/manifest-src\"><code>CSP: manifest-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/media-src\"><code>CSP: media-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/object-src\"><code>CSP: object-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/prefetch-src\"><code>CSP: prefetch-src</code></a><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-to\"><code>CSP: report-to</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/report-uri\"><code>CSP: report-uri</code></a><abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/require-trusted-types-for\"><code>CSP: require-trusted-types-for</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/sandbox\"><code>CSP: sandbox</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src\"><code>CSP: script-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-attr\"><code>CSP: script-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem\"><code>CSP: script-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src\"><code>CSP: style-src</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-attr\"><code>CSP: style-src-attr</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src-elem\"><code>CSP: style-src-elem</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/trusted-types\"><code>CSP: trusted-types</code></a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/upgrade-insecure-requests\"><code>CSP: upgrade-insecure-requests</code></a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/worker-src\"><code>CSP: worker-src</code></a></li></ol>\n      </details>\n    </li>\n    <li class=\"toggle\">\n      <details>\n        <summary>CORS errors</summary>\n        <ol><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDisabled\">Reason: CORS disabled</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSAllowOriginNotMatchingOrigin\">Reason: CORS header 'Access-Control-Allow-Origin' does not match 'xyz'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowOrigin\">Reason: CORS header 'Access-Control-Allow-Origin' missing</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSOriginHeaderNotAdded\">Reason: CORS header 'Origin' cannot be added</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSPreflightDidNotSucceed\">Reason: CORS preflight channel did not succeed</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSDidNotSucceed\">Reason: CORS request did not succeed</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSExternalRedirectNotAllowed\">Reason: CORS request external redirect not allowed</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSRequestNotHttp\">Reason: CORS request not HTTP</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSNotSupportingCredentials\">Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMethodNotFound\">Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMIssingAllowCredentials\">Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowHeader\">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Headers'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSInvalidAllowMethod\">Reason: invalid token 'xyz' in CORS header 'Access-Control-Allow-Methods'</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMissingAllowHeaderFromPreflight\">Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel</a></li><li><a href=\"/en-US/docs/Web/HTTP/CORS/Errors/CORSMultipleAllowOriginNotAllowed\">Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed</a></li></ol>\n      </details>\n    </li>\n    <li class=\"toggle\">\n      <details>\n        <summary>Permissions-Policy directives</summary>\n        <ol><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/accelerometer\">Permissions-Policy: accelerometer</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/ambient-light-sensor\">Permissions-Policy: ambient-light-sensor</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/attribution-reporting\">Permissions-Policy: attribution-reporting</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/autoplay\">Permissions-Policy: autoplay</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/bluetooth\">Permissions-Policy: bluetooth</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/browsing-topics\">Permissions-Policy: browsing-topics</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr><abbr class=\"icon icon-nonstandard\" title=\"Non-standard. Check cross-browser support before using.\">\n    <span class=\"visually-hidden\">Non-standard</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/camera\">Permissions-Policy: camera</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/compute-pressure\">Permissions-Policy: compute-pressure</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/display-capture\">Permissions-Policy: display-capture</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/document-domain\">Permissions-Policy: document-domain</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/encrypted-media\">Permissions-Policy: encrypted-media</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/fullscreen\">Permissions-Policy: fullscreen</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gamepad\">Permissions-Policy: gamepad</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/geolocation\">Permissions-Policy: geolocation</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/gyroscope\">Permissions-Policy: gyroscope</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/hid\">Permissions-Policy: hid</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/identity-credentials-get\">Permissions-Policy: identity-credentials-get</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/idle-detection\">Permissions-Policy: idle-detection</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/local-fonts\">Permissions-Policy: local-fonts</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/magnetometer\">Permissions-Policy: magnetometer</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/microphone\">Permissions-Policy: microphone</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/midi\">Permissions-Policy: midi</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/otp-credentials\">Permissions-Policy: otp-credentials</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/payment\">Permissions-Policy: payment</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/picture-in-picture\">Permissions-Policy: picture-in-picture</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-create\">Permissions-Policy: publickey-credentials-create</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/publickey-credentials-get\">Permissions-Policy: publickey-credentials-get</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/screen-wake-lock\">Permissions-Policy: screen-wake-lock</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/serial\">Permissions-Policy: serial</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/speaker-selection\">Permissions-Policy: speaker-selection</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/storage-access\">Permissions-Policy: storage-access</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/usb\">Permissions-Policy: usb</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/web-share\">Permissions-Policy: web-share</a></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/window-management\">Permissions-Policy: window-management</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li><li><a href=\"/en-US/docs/Web/HTTP/Headers/Permissions-Policy/xr-spatial-tracking\">Permissions-Policy: xr-spatial-tracking</a><abbr class=\"icon icon-experimental\" title=\"Experimental. Expect behavior to change in the future.\">\n    <span class=\"visually-hidden\">Experimental</span>\n</abbr></li></ol>\n      </details>\n    </li>\n    <li><a href=\"/en-US/docs/Web/HTTP/Resources_and_specifications\">HTTP resources and specifications</a></li>\n  </ol>\n","sidebarMacro":"HTTPSidebar","body":[{"type":"prose","value":{"id":null,"title":null,"isH3":false,"content":"<div class=\"notecard deprecated\" id=\"sect1\"><p><strong>Deprecated:</strong> This feature is no longer recommended. Though some browsers might still support it, it may have already been removed from the relevant web standards, may be in the process of being dropped, or may only be kept for compatibility purposes. Avoid using it, and update existing code if possible; see the <a href=\"#browser_compatibility\">compatibility table</a> at the bottom of this page to guide your decision. Be aware that this feature may cease to work at any time.</p></div>\n<div class=\"notecard warning\" id=\"sect2\">\n  <p><strong>Warning:</strong> Instead of this header, use the <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>frame-ancestors</code></a> directive in a <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"><code>Content-Security-Policy</code></a> header.</p>\n</div>\n<p>The <strong><code>X-Frame-Options</code></strong> <a href=\"/en-US/docs/Web/HTTP\">HTTP</a> response header can be used to indicate whether a browser should be allowed to render a page in a <a href=\"/en-US/docs/Web/HTML/Element/frame\"><code>&lt;frame&gt;</code></a>, <a href=\"/en-US/docs/Web/HTML/Element/iframe\"><code>&lt;iframe&gt;</code></a>, <a href=\"/en-US/docs/Web/HTML/Element/embed\"><code>&lt;embed&gt;</code></a> or <a href=\"/en-US/docs/Web/HTML/Element/object\"><code>&lt;object&gt;</code></a>. Sites can use this to avoid <a href=\"/en-US/docs/Web/Security/Types_of_attacks#click-jacking\">click-jacking</a> attacks, by ensuring that their content is not embedded into other sites.</p>\n<p>The added security is provided only if the user accessing the document is using a browser that supports <code>X-Frame-Options</code>.</p>\n<figure class=\"table-container\"><table class=\"properties\">\n  <tbody>\n    <tr>\n      <th scope=\"row\">Header type</th>\n      <td><a href=\"/en-US/docs/Glossary/Response_header\">Response header</a></td>\n    </tr>\n    <tr>\n      <th scope=\"row\"><a href=\"/en-US/docs/Glossary/Forbidden_header_name\">Forbidden header name</a></th>\n      <td>no</td>\n    </tr>\n  </tbody>\n</table></figure>"}},{"type":"prose","value":{"id":"syntax","title":"Syntax","isH3":false,"content":"<p>There are two possible directives for <code>X-Frame-Options</code>:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">http</span></div><pre class=\"brush: http notranslate\"><code>X-Frame-Options: DENY\nX-Frame-Options: SAMEORIGIN\n</code></pre></div>"}},{"type":"prose","value":{"id":"directives","title":"Directives","isH3":true,"content":"<p>If you specify <code>DENY</code>, not only will the browser attempt to load the page in a frame fail when loaded from other sites, attempts to do so will fail when loaded from the same site. On the other hand, if you specify <code>SAMEORIGIN</code>, you can still use the page in a frame as long as the site including it in a frame is the same as the one serving the page.</p>\n<dl>\n  <dt id=\"deny\"><a href=\"#deny\"><code>DENY</code></a></dt>\n  <dd>\n    <p>The page cannot be displayed in a frame, regardless of the site attempting to do so.</p>\n  </dd>\n  <dt id=\"sameorigin\"><a href=\"#sameorigin\"><code>SAMEORIGIN</code></a> <abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></dt>\n  <dd>\n    <p>The page can only be displayed if all ancestor frames are same origin to the page itself.</p>\n  </dd>\n  <dt id=\"allow-from_origin\"><a href=\"#allow-from_origin\"><code>ALLOW-FROM origin</code></a> <abbr class=\"icon icon-deprecated\" title=\"Deprecated. Not for use in new websites.\">\n  <span class=\"visually-hidden\">Deprecated</span>\n</abbr></dt>\n  <dd>\n    <p>This is an obsolete directive. Modern browsers that encounter response headers with this directive will ignore the header completely. The <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"><code>Content-Security-Policy</code></a> HTTP header has a <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>frame-ancestors</code></a> directive which you should use instead.</p>\n  </dd>\n</dl>"}},{"type":"prose","value":{"id":"examples","title":"Examples","isH3":false,"content":"<div class=\"notecard warning\" id=\"sect3\">\n  <p><strong>Warning:</strong> Setting <code>X-Frame-Options</code> inside the <a href=\"/en-US/docs/Web/HTML/Element/meta\"><code>&lt;meta&gt;</code></a> element (e.g., <code>&lt;meta http-equiv=\"X-Frame-Options\" content=\"deny\"&gt;</code>) has no effect. <code>X-Frame-Options</code> is only enforced via HTTP headers, as shown in the examples below.</p>\n</div>"}},{"type":"prose","value":{"id":"configuring_apache","title":"Configuring Apache","isH3":true,"content":"<p>To configure Apache to send the <code>X-Frame-Options</code> header for all pages, add this to your site's configuration:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">apacheconf</span></div><pre class=\"brush: apacheconf notranslate\"><code>Header always set X-Frame-Options \"SAMEORIGIN\"\n</code></pre></div>\n<p>To configure Apache to set <code>X-Frame-Options</code> to <code>DENY</code>, add this to your site's configuration:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">apacheconf</span></div><pre class=\"brush: apacheconf notranslate\"><code>Header set X-Frame-Options \"DENY\"\n</code></pre></div>"}},{"type":"prose","value":{"id":"configuring_nginx","title":"Configuring Nginx","isH3":true,"content":"<p>To configure Nginx to send the <code>X-Frame-Options</code> header, add this either to your http, server or location configuration:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">nginx</span></div><pre class=\"brush: nginx notranslate\"><code>add_header X-Frame-Options SAMEORIGIN always;\n</code></pre></div>\n<p>You can set the <code>X-Frame-Options</code> header to <code>DENY</code> using:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">nginx</span></div><pre class=\"brush: nginx notranslate\"><code>add_header X-Frame-Options DENY always;\n</code></pre></div>"}},{"type":"prose","value":{"id":"configuring_iis","title":"Configuring IIS","isH3":true,"content":"<p>To configure IIS to send the <code>X-Frame-Options</code> header, add this to your site's <code>Web.config</code> file:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">xml</span></div><pre class=\"brush: xml notranslate\"><code>&lt;system.webServer&gt;\n  …\n  &lt;httpProtocol&gt;\n    &lt;customHeaders&gt;\n      &lt;add name=\"X-Frame-Options\" value=\"SAMEORIGIN\" /&gt;\n    &lt;/customHeaders&gt;\n  &lt;/httpProtocol&gt;\n  …\n&lt;/system.webServer&gt;\n</code></pre></div>\n<p>For more information, see the <a href=\"https://support.microsoft.com/en-US/office/mitigating-framesniffing-with-the-x-frame-options-header-1911411b-b51e-49fd-9441-e8301dcdcd79\" class=\"external\" target=\"_blank\">Microsoft support article on setting this configuration using the IIS Manager</a> user interface.</p>"}},{"type":"prose","value":{"id":"configuring_haproxy","title":"Configuring HAProxy","isH3":true,"content":"<p>To configure HAProxy to send the <code>X-Frame-Options</code> header, add this to your front-end, listen, or backend configuration:</p>\n<pre class=\"brush: plain notranslate\">rspadd X-Frame-Options:\\ SAMEORIGIN\n</pre>\n<p>Alternatively, in newer versions:</p>\n<pre class=\"brush: plain notranslate\">http-response set-header X-Frame-Options SAMEORIGIN\n</pre>"}},{"type":"prose","value":{"id":"configuring_express","title":"Configuring Express","isH3":true,"content":"<p>To set <code>X-Frame-Options</code> to <code>SAMEORIGIN</code> using <a href=\"https://helmetjs.github.io/\" class=\"external\" target=\"_blank\">Helmet</a> add the following to your server configuration:</p>\n<div class=\"code-example\"><div class=\"example-header\"><span class=\"language-name\">js</span></div><pre class=\"brush: js notranslate\"><code>const helmet = require(\"helmet\");\nconst app = express();\napp.use(\n  helmet({\n    xFrameOptions: { action: \"sameorigin\" },\n  }),\n);\n</code></pre></div>"}},{"type":"specifications","value":{"title":"Specifications","id":"specifications","isH3":false,"specifications":[{"bcdSpecificationURL":"https://html.spec.whatwg.org/multipage/document-lifecycle.html#the-x-frame-options-header","title":"HTML Standard"}],"query":"http.headers.X-Frame-Options"}},{"type":"browser_compatibility","value":{"title":"Browser compatibility","id":"browser_compatibility","isH3":false,"query":"http.headers.X-Frame-Options"}},{"type":"prose","value":{"id":"see_also","title":"See also","isH3":false,"content":"<ul>\n  <li><a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy\"><code>Content-Security-Policy</code></a> directive <a href=\"/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors\"><code>frame-ancestors</code></a></li>\n  <li><a href=\"https://learn.microsoft.com/en-us/archive/blogs/ie/ie8-security-part-vii-clickjacking-defenses\" class=\"external\" target=\"_blank\">ClickJacking Defenses - IEBlog</a></li>\n  <li><a href=\"https://learn.microsoft.com/en-us/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options\" class=\"external\" target=\"_blank\">Combating ClickJacking with X-Frame-Options - IEInternals</a></li>\n</ul>"}}],"toc":[{"text":"Syntax","id":"syntax"},{"text":"Examples","id":"examples"},{"text":"Specifications","id":"specifications"},{"text":"Browser compatibility","id":"browser_compatibility"},{"text":"See also","id":"see_also"}],"summary":"The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.","popularity":0.1694,"modified":"2024-09-25T05:13:31.000Z","other_translations":[{"locale":"es","title":"X-Frame-Options","native":"Español"},{"locale":"fr","title":"X-Frame-Options","native":"Français"},{"locale":"ja","title":"X-Frame-Options","native":"日本語"},{"locale":"ko","title":"X-Frame-Options","native":"한국어"},{"locale":"pt-BR","title":"X-Frame-Options","native":"Português (do Brasil)"},{"locale":"zh-CN","title":"X-Frame-Options","native":"中文 (简体)"},{"locale":"zh-TW","title":"X-Frame-Options 回應標頭","native":"正體中文 (繁體)"}],"pageType":"http-header","source":{"folder":"en-us/web/http/headers/x-frame-options","github_url":"https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/x-frame-options/index.md","last_commit_url":"https://github.com/mdn/content/commit/2b44e3e665ceb5f4336089695aa5f617b1baf33c","filename":"index.md"},"short_title":"X-Frame-Options","parents":[{"uri":"/en-US/docs/Web","title":"References"},{"uri":"/en-US/docs/Web/HTTP","title":"HTTP"},{"uri":"/en-US/docs/Web/HTTP/Headers","title":"Headers"},{"uri":"/en-US/docs/Web/HTTP/Headers/X-Frame-Options","title":"X-Frame-Options"}],"pageTitle":"X-Frame-Options - HTTP | MDN","noIndexing":false}}</script><div id="a11y-status-message" role="status" aria-live="polite" aria-relevant="additions text" style="border: 0px; clip: rect(0px, 0px, 0px, 0px); height: 1px; margin: -1px; overflow: hidden; padding: 0px; position: absolute; width: 1px;"></div></body></html>