# X-Frame Options

The X-Frame Options feature adds the `X-Frame-Options` HTTP response header to prevent unauthorized framing of your website. This header is commonly used to mitigate clickjacking attacks by restricting how and where your content can be embedded inside an `<iframe>`.

When enabled, the CDN includes the header in responses according to the configuration you provide.

### How X-Frame Options Works

You can configure X-CDN Header in the [Medianova Control Panel](https://cloud.medianova.com) or via [API](https://clients.medianova.com/api-documentation/performance-cdn/headers#put-api-v1-cdn-organization_uuid-resource-resource_uuid-5)

When the feature is active:

* The CDN adds an `X-Frame-Options` header to viewer responses.
* If **no domain** is configured, the CDN sets:

  ```
  X-Frame-Options: SAMEORIGIN
  ```

  which allows framing only from the same domain.
* If **one or more domains** are provided, the CDN applies:

  ```
  X-Frame-Options: ALLOW-FROM <domain>
  ```

  for each allowed domain, enabling selective embedding.
* The browser enforces the framing policy and blocks disallowed attempts.

<figure><img src="/files/4WxW0teJg9Y9lQCyMT3D" alt=""><figcaption><p>X-Frame Options configuration area inside the Headers tab</p></figcaption></figure>

### Use Cases

#### Prevent clickjacking

Block external sites from embedding your pages to protect users from UI redress attacks.

#### Allow trusted partners

Permit framing only from specific domains that require embedded content (e.g., partner dashboards, internal tools).

#### Enforce controlled embedding behavior

Define clear, browser-enforced restrictions on how your content is presented in external applications.

### Notes

* `ALLOW-FROM` is not supported by all browsers. Modern security policies often prefer CSP `frame-ancestors`.
* `X-Frame-Options` does not affect API endpoints or non-HTML content.
* If multiple allowed domains are configured, behavior may vary by browser due to varying support levels.
* This header has no effect on origin requests; it is applied only to viewer-facing responses.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://clients.medianova.com/products/performance-cdn/static-content-delivery/advanced-configuration/headers/x-frame-options.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.