Fix Guide

How to Fix a Missing X-Frame-Options Header

The response does not include a clickjacking protection header.

Safe public URL scan. Results include technology evidence, SEO checks, security headers, accessibility basics, and a developer fix list.

Recommended fix

Add X-Frame-Options or a CSP frame-ancestors policy that matches the site embedding requirements.

This guide is designed to pair with a scanner report. Run a URL scan first, then follow the implementation steps.

Developer task

Set X-Frame-Options: SAMEORIGIN, or enforce frame-ancestors in Content-Security-Policy.

Implementation steps

How to apply this fix

  1. Decide whether any external sites legitimately need to embed these pages.
  2. For same-origin-only embedding, set X-Frame-Options: SAMEORIGIN.
  3. For finer control, enforce frame-ancestors in Content-Security-Policy instead.
  4. Apply at the CDN/server layer and re-scan to confirm clickjacking protection.
Verify

Re-run the URL scan after deploying the change to confirm the issue clears and the Themerella Score updates.

Related guides

Continue the same website quality workflow.