Fix Guide
How to Fix a Missing X-Frame-Options Header
The response does not include a clickjacking protection header.
Recommended fix
Add X-Frame-Options or a CSP frame-ancestors policy that matches the site embedding requirements.
This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.
Developer task
Set X-Frame-Options: SAMEORIGIN, or enforce frame-ancestors in Content-Security-Policy.
Implementation steps
How to apply this fix
- Decide whether any external sites legitimately need to embed these pages.
- For same-origin-only embedding, set X-Frame-Options: SAMEORIGIN.
- For finer control, enforce frame-ancestors in Content-Security-Policy instead.
- Apply at the CDN/server layer and re-scan to confirm clickjacking protection.
Verify
Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.
Related guides