X-Frame-Options

This page demonstrates the X-Frame-Options header. Note that the pages loaded in iframes are requested by the browser, the server executes the request and returns a response, but the browser will refuse to display the result.

Here's a page served with X-Frame-Options: Deny loaded in an iframe (should not be displayed by modern browsers). You can however navigate directly to the page to display it (IE should also let you "Open this content in a new window).

Here's a page served with X-Frame-Options: SameOrigin loaded in an iframe. You can also navigate directly to the page

Feel free to open this page in different browsers to see how they tackle the X-Frame-Options header.

To learn how to add this header with NWebsec see: Configuring security headers on the project website.