← Back to all snippets
PHP

Prevent Clickjacking with X-Frame-Options in PHP

Implement the X-Frame-Options HTTP header in PHP to protect your web pages from clickjacking attacks by controlling whether they can be embedded in iframes.

<?php

header('X-Frame-Options: SAMEORIGIN');

echo '<!DOCTYPE html>';
echo '<html lang="en">';
echo '<head><meta charset="UTF-8"><title>Secure Page</title></head>';
echo '<body>';
echo '<h1>Welcome to a secure page!</h1>';
echo '<p>This page is protected against clickjacking using X-Frame-Options.</p>';
echo '<p>If you see this directly, it means it\'s not embedded in an unauthorized frame.</p>';
echo '</body>';
echo '</html>';

?>
How it works: This PHP snippet demonstrates how to implement the `X-Frame-Options` HTTP header to prevent clickjacking attacks. By setting this header, you instruct browsers on whether your page can be embedded within an `<iframe>`, `<object>`, or `<embed>` tag. The `SAMEORIGIN` value (recommended in this snippet) ensures the page can only be framed by other pages from the same domain, while `DENY` prevents framing entirely. This simple yet effective measure is crucial for protecting users from malicious overlay attacks where attackers trick users into clicking on hidden elements. It's important to set this header as early as possible in your PHP script before any other content is outputted.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs