Current Location: Home> Latest Articles> How to use the header() function to prevent the iframe from loading the current page and defend against Clickjacking attacks?

How to use the header() function to prevent the iframe from loading the current page and defend against Clickjacking attacks?

M66 2025-05-28

Clickjacking is a malicious technology that unwittingly clicks on certain content on the web page controlled by the attacker by embedding web pages into transparent iframes. To prevent this attack, we can prevent the page from being nested into the iframe through HTTP header information.

In PHP, we can use the header() function to set the appropriate HTTP response header to achieve defense.

What is a Clickjacking attack?

The principle of Clickjacking attack is to trick users into clicking on interface elements that they cannot see, allowing users to perform actions without their knowledge. Usually, an attacker will use an iframe to nest the page of the target website in his own web page, and cover up the page content through transparency or other means, so that users are actually performing the actions they want when operating seemingly harmless content.

How to prevent the iframe from loading the current page?

The best way to prevent pages from being nested into iframes is to use the X-Frame-Options response header. This header tells the browser whether the current page is allowed to be nested in an iframe. Using this method can effectively prevent Clickjacking attacks.

Set X-Frame-Options using the header() function

In PHP, you can send HTTP response headers through the header() function. To prevent the page from being nested into an iframe, you can use the following code:

 <?php
// set up X-Frame-Options Prevent pages from being nested in iframe middle
header('X-Frame-Options: DENY');

// Or if you want to only allow nested pages under the specified domain name,Available:
header('X-Frame-Options: ALLOW-FROM https://m66.net');

// Continue to process other content on the page
?>

The value of X-Frame-Options

  • DENY : Any web page is prohibited from loading the current page through an iframe.

  • SAMEORIGIN : Only pages with the same source (i.e., the same domain name) are allowed to load the current page through an iframe.

  • ALLOW-FROM uri : Allows the specified domain name to load the current page through an iframe. Note that the ALLOW-FROM option is deprecated in some browsers such as Firefox, so DENY or SAMEORIGIN is generally recommended.

Example: Prevent iframe nesting

Here is a practical example showing how to set the X-Frame-Options header in a PHP page to prevent other sites from nesting the current page into an iframe:

 <?php
// prevent Clickjacking attack
header('X-Frame-Options: DENY');

// set up其他 HTTP Response head
header('Content-Type: text/html; charset=UTF-8');

// Page content
echo "<h1>This is a safe page</h1>";
echo "<p>This page cannot be nested in iframe middle。</p>";
?>

Other defense measures

While X-Frame-Options is an effective way to prevent Clickjacking attacks, it is not the only defense. You can also use Content Security Policy (CSP) to further strengthen protection. For example, by setting the CSP header, explicitly prohibiting pages from being nested in an iframe:

 <?php
// use CSP Prohibit nesting
header("Content-Security-Policy: frame-ancestors 'none';");

// Page content
echo "<h1>This is a safe page</h1>";
?>

By setting frame-ancestors to 'none' you can completely disable pages from being nested in any iframe, which is more flexible than X-Frame-Options .

This can effectively prevent your page from being nested in an iframe and avoid Clickjacking attacks. Depending on your needs, you can choose to use X-Frame-Options or Content Security Policy (CSP) to achieve defense.

Related