Drupal is a registered trademark of Dries Buytaert
drupal 11.3.7 Update released for Drupal core (11.3.7)! drupal 11.2.11 Update released for Drupal core (11.2.11)! drupal 10.6.7 Update released for Drupal core (10.6.7)! drupal 10.5.9 Update released for Drupal core (10.5.9)! cms 2.1.1 Update released for Drupal core (2.1.1)! drupal 11.3.6 Update released for Drupal core (11.3.6)! drupal 10.6.6 Update released for Drupal core (10.6.6)! cms 2.1.0 Update released for Drupal core (2.1.0)! bootstrap 8.x-3.40 Minor update available for theme bootstrap (8.x-3.40). menu_link_attributes 8.x-1.7 Minor update available for module menu_link_attributes (8.x-1.7). eca 3.1.1 Minor update available for module eca (3.1.1). layout_paragraphs 2.1.3 Minor update available for module layout_paragraphs (2.1.3). ai 1.3.3 Minor update available for module ai (1.3.3). ai 1.2.14 Minor update available for module ai (1.2.14). node_revision_delete 2.0.3 Minor update available for module node_revision_delete (2.0.3). moderated_content_bulk_publish 2.0.52 Minor update available for module moderated_content_bulk_publish (2.0.52). klaro 3.0.10 Minor update available for module klaro (3.0.10). klaro 3.0.9 Minor update available for module klaro (3.0.9). layout_paragraphs 2.1.2 Minor update available for module layout_paragraphs (2.1.2). geofield_map 11.1.8 Minor update available for module geofield_map (11.1.8).
← All modules

x_frame_options

2,538 sites Security covered
View on drupal.org

Synopsis

This module can be used to set the x-frame-options header on your website with the appropriate directive. This might be useful when you want to include one of the pages of your site inside an iframe in another site.

The directives must be:
1. DENY
2. SAMEORIGIN
3. ALLOW-FROM uri (Currently [2021-03-15] not accepted by Chrome, Safari, Opera). You will be allowed to configure which uri.

There is a new option in the module to not use the header: ALLOW ALL.

Notes:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

More info regarding the x-frame-options response header here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.

Installation

Install as you would normally install a contributed Drupal module. Visit: https://www.drupal.org/docs/8/extending-drupal-8/installing-drupal-8-mod... for further information.

composer require drupal/x_frame_options_configuration

Notice the module is x_frame_options_configuration not x_frame_options (as I had initially)

Enable the module with Drush:

drush en -y x_frame_options_configuration

Configuration

Go to Configuration » System » X-frame-options header (/admin/config/system/x_frame_options_configuration/settings) and select the directive you want to use and if asked type the uri you will allow to render your site from.

Activity

Total releases
2
First release
Sep 2025
Latest release
2 weeks ago
Release cadence
202 days
Stability
100% stable

Releases

Version Type Release date
8.x-1.5 Stable Apr 2, 2026
8.x-1.4 Stable Sep 12, 2025