...
Browsers can restrict or deny the loading of a web page inside a frame, iframe or other object by reacting to the HTTP response header X-Frame-Options associated with that page. Setting this property correctly can help prevent click-jacking attacks (https://en.wikipedia.org/wiki/Clickjacking).
...
- DENY - The page may never be loaded inside another page.
- SAMEORIGIN - The page may only be loaded inside another page if it has the same origin.
- ALLOW-FROM <origin> - The page may only be loaded inside another page if is from the indicated origin (www.mywebsite.com, for example).
| Note |
|---|
The option ALLOW-FROM is not recommended because it is not universally supported by all browsers. |
In general you are advised to use this property with the option SAMEORIGIN in order to prevent click-jacking attacks. For the front-end environment you can also choose the DENY option, but be aware that with this option pages can no longer be embedded in frames, iframes or other objects.
Configuring the Apache Http Server for X-Frame-Options is effective for both pages served both by XperienCentral and external static pages.
...