Drupal is a registered trademark of Dries Buytaert
Protected Pages 3.0.0 Major update available for module protected_pages (3.0.0). Commerce Core 3.3.8 Minor update available for module commerce (3.3.8). Search API HTML Element Filter 1.0.7 Minor update available for module search_api_html_element_filter (1.0.7). Layout Builder Reorder 2.0.1 Minor update available for module layout_builder_reorder (2.0.1). Ban 1.1.0 Minor update available for module ban (1.1.0). Field Formatter Range 2.0.0 Major update available for module field_formatter_range (2.0.0). Field Formatter Range 8.x-1.8 Minor update available for module field_formatter_range (8.x-1.8). Varbase Media Header 9.2.1 Minor update available for module varbase_media_header (9.2.1). Search API Solr 4.3.11 Module search_api_solr updated after 14 months of inactivity (4.3.11). Provus Mega Menu Module provus_mega_menu crossed 1,000 active installs.

This module allows you to control how your website content can be embedded in iframes on other sites by setting the X-Frame-Options HTTP header. You can choose directives like DENY, SAMEORIGIN, or ALLOW-FROM a specific URI to prevent clickjacking attacks.

Synopsis

This module can be used to set the x-frame-options header on your website with the appropriate directive. This might be useful when you want to include one of the pages of your site inside an iframe in another site.

The directives must be:
1. DENY
2. SAMEORIGIN
3. ALLOW-FROM uri (Currently [2021-03-15] not accepted by Chrome, Safari, Opera). You will be allowed to configure which uri.

There is a new option in the module to not use the header: ALLOW ALL.

Notes:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

More info regarding the x-frame-options response header here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options.

Installation

Install as you would normally install a contributed Drupal module. Visit: https://www.drupal.org/docs/8/extending-drupal-8/installing-drupal-8-mod... for further information.

composer require drupal/x_frame_options_configuration

Notice the module is x_frame_options_configuration not x_frame_options (as I had initially)

Enable the module with Drush:

drush en -y x_frame_options_configuration

Configuration

Go to Configuration » System » X-frame-options header (/admin/config/system/x_frame_options_configuration/settings) and select the directive you want to use and if asked type the uri you will allow to render your site from.

Activity

Total releases
2
First release
Sep 2025
Latest release
3 months ago
Releases (12 mo)
2 ▲ from 0
Maintenance
Active

Releases

Version Type Release date
8.x-1.5 Stable Apr 2, 2026
8.x-1.4 Stable Sep 12, 2025