How to Set Security HTTP Headers like X-Frame-Options Using PHP's header() Function

M66 2025-07-18

In modern web development, ensuring the security of websites is an essential responsibility of developers. Browsers provide many mechanisms that enhance website security by setting specific HTTP headers, such as X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security. These headers help prevent attacks like clickjacking, MIME type sniffing, and cross-site scripting (XSS).

In PHP, the most commonly used way to set HTTP headers is by using the header() function. This article will explain in detail how to use PHP's header() function to set X-Frame-Options and other common security HTTP headers.

1. Using header() to Set X-Frame-Options

X-Frame-Options is used to prevent a webpage from being embedded in an </span>, <span class="fun"><frame></span>, or <span class="fun"><object></span>, thus protecting against clickjacking attacks.</p> <p class="">Example code:</p> <pre><code class="codes"><?php // Prevent the page from being embedded in an iframe header('X-Frame-Options: DENY'); <p>// Only allow embedding from the same domain<br> // header('X-Frame-Options: SAMEORIGIN');</p> <p>// Allow embedding from a specific third-party domain (note: most browsers have poor support for ALLOW-FROM)<br> // header('X-Frame-Options: ALLOW-FROM <a rel="noopener" target="_new" class="" href="https://m66.net">https://m66.net</a>');<br> ?></code></pre></p> <p class="">You just need to call <span class="fun">header()</span> before any output is sent. Typically, it can be placed at the very top of the PHP file. Note: Once any content is outputted (e.g., using <span class="fun"><a href="/en/php/echo.html" target="_blank">echo</a></span>), calling <span class="fun">header()</span> will result in an error.</p> <h3 class="">2. Adding Other Security HTTP Headers</h3> <p class="">In addition to <span class="fun">X-Frame-Options</span>, you can also add the following security headers:</p> <pre><code class="codes"><?php // Prevent MIME type sniffing header('X-Content-Type-Options: nosniff'); <p>// Enable XSS protection in browsers (note: modern browsers have deprecated this)<br> header('X-XSS-Protection: 1; mode=block');</p> <p>// Force the use of HTTPS (requires HTTPS certificate)<br> header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');</p> <p>// Set Content Security Policy (CSP)<br> header("Content-Security-Policy: default-src 'self'; img-src 'self' <a rel="noopener" target="_new" class="" href="https://m66.net">https://m66.net</a>; script-src 'self'");<br> ?></code></pre></p> <p class="">These headers, when combined, can greatly enhance site security. However, they should be configured carefully according to your specific needs, especially CSP, as improper configuration may cause normal resources to fail to load.</p> <h3 class="">3. Setting Headers for the Entire Site</h3> <p class="">If you want to set these security headers for the entire site, the recommended approach is:</p> <ul> <li class="">If using Apache, you can set them in the <span class="fun">.htaccess</span> file.</li> <li class="">If using Nginx, you can set them in the configuration file.</li> <li class="">If you must use PHP, you can add them in the website entry file (e.g., <span class="fun">index.php</span> or the global entry of the framework).</li> </ul> <p class="">Example (entry file):</p> <pre><code class="codes"><?php // Set security headers globally header('X-Frame-Options: DENY'); header('X-Content-Type-Options: nosniff'); header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload'); header("Content-Security-Policy: default-src 'self'; img-src 'self' https://m66.net; script-src 'self'"); <p>// Subsequent business logic<br> require 'app/bootstrap.php';<br> ?></code></pre></p> <h3 class="">4. Important Considerations</h3> <ul> <li class=""><p><strong>Call before output:</strong> <span class="fun">header()</span> must be called before any output (including spaces and newlines).</p></li> <li class=""><p><strong>Debugging tools:</strong> You can use the browser's developer tools (Network tab) or the <span class="fun">curl -I</span> command to check if the headers have been successfully added.</p></li> <li class=""><p><strong>Test in production:</strong> After adding security headers, make sure to thoroughly test in the production environment to ensure normal functionality and resource loading are not affected.</p></li> </ul> <ul class="detailedinfo-content-collapse"> <li><p>Related Tags:</p> <span> <a href="/en/tags/header.html" title="header" style="display:inline;" class="taglist">header</a> <a href="/en/tags/Options.html" title="Options" style="display:inline;" class="taglist">Options</a> </span> </li> </ul> </div> </div> <div class="b_box"> <div class="title_text"><i class="iconfont icon-jiangzhang"></i></div> <ul class="img_text_template"> </ul> </div> </div> <div class="right_box "> <div class="b_box"> <div class="widget_box"> <ul class="yyfl_box"> <li><a href="/en/php/header.html">header</a><i class="iconfont icon-AIGC-81"></i></li> </ul> </div> </div> <div class="b_box"> <div class="title_text"><i class="iconfont icon-wenzhangguanli"></i>Related</div> <ul class="img_text_template lr"> <li> <span class="img_item"> <img src="/files/images/20250528/202505281250048919.jpg" alt="Preventing cache: Setting tips for Cache-Control and Pragma"> </span> <div class="content"> <a href="/ca872524fbf7ea591.html" class="desc link_a"> Preventing cache: Setting tips for Cache-Control and Pragma </a> </div> </li> <li> <span class="img_item"> <img src="/files/images/20250518/202505180750106238.jpg" alt="header() + json_encode() implements API to return JSON data"> </span> <div class="content"> <a href="/142d7de959380f971.html" class="desc link_a"> header() + json_encode() implements API to return JSON data </a> </div> </li> <li> <span class="img_item"> <img src="/files/images/20250528/202505281433599162.jpg" alt="How to prevent users from directly accessing certain pages through header()"> </span> <div class="content"> <a href="/53c63cff1ad7f0e73.html" class="desc link_a"> How to prevent users from directly accessing certain pages through header() </a> </div> </li> <li> <span class="img_item"> <img src="/files/images/20250528/202505281443574844.jpg" alt="After logging in and verifying, use header() to jump to the homepage"> </span> <div class="content"> <a href="/d6937412b7e56de93.html" class="desc link_a"> After logging in and verifying, use header() to jump to the homepage </a> </div> </li> <li> <span class="img_item"> <img src="/files/images/20250605/202506051953036656.jpg" alt="Why does header() report an error "Headers already sent"? Causes and solutions"> </span> <div class="content"> <a href="/1f432b42343f56f23.html" class="desc link_a"> Why does header() report an error "Headers already sent"? Causes and solutions </a> </div> </li> <li> <span class="img_item"> <img src="/files/images/20250528/202505280924275353.jpg" alt="Setting the appropriate response header format with the front-end fetch API"> </span> <div class="content"> <a href="/474aa176b6dc95713.html" class="desc link_a"> Setting the appropriate response header format with the front-end fetch API </a> </div> </li> </ul> </div> </div> </section> <footer class="footer_template"> <div class="w12_box"> <div class="desc"> <div class="f_log"> <a href=""><img src="/images/logo.png" alt="m66.net"></a> </div> <div class="content">Covering practical tips and function usage in major programming languages to help you master core skills and tackle development challenges with ease. </div> <div class="info">Learning programming is so easy - m66.net</div> </div> <dl> <dd> <h3></h3> </dd> <dd> <h3></h3> </dd> </dl> </div> <div class="other"> <p></p> </div> </footer> <script async src="https://www.googletagmanager.com/gtag/js?id=G-GTCFFYHK8P"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-GTCFFYHK8P'); </script> </body> <script src="/js/jquery.js" type="text/javascript" charset="utf-8"></script> <script src="/js/lazy.js" type="text/javascript" charset="utf-8"></script> <script src="/js/swiper.min.js" type="text/javascript" charset="utf-8"></script> <script src="/js/viewer.js" type="text/javascript" charset="utf-8"></script> <script src="/js/index.js" type="text/javascript" charset="utf-8"></script>  <script> commonMethod.wz(); function ctrVideo(str){ console.log(str); $(".ytp-play-button").each(function(){ let status = $(this).attr("data-title-no-tooltip"); if(status === "Pause" && status!=str){ console.log("Pause"); $(this).trigger("click"); } }) } window.addEventListener('popstate', function() { ctrVideo(""); }); $(".left_box").on("click",".ytp-large-play-button",function(){ console.log("midddle button") let status = $(".ytp-play-button").attr("data-title-no-tooltip"); ctrVideo(status); }) $(".content_template").on("click",".ytp-play-button",function(){ console.log("play button") let status = $(this).attr("data-title-no-tooltip"); ctrVideo(status); }) </script> </html>