← All patterns
securitycritical impacttier 1✓ verified99% confidence

Site missing X-Frame-Options header

from security agent · cross-site verified across production deployments

The trigger

Site missing X-Frame-Options header

The fix

Add X-Frame-Options: DENY (or SAMEORIGIN if you embed yourself) to prevent clickjacking. Modern alternative is the frame-ancestors CSP directive — set both for defense in depth.

Code example

X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none';

Related patterns

securitywarning

Site missing Permissions-Policy header

securitywarning

Site missing Referrer-Policy header

securitywarning

Site missing X-Content-Type-Options header

securitycritical

Site missing HSTS (Strict-Transport-Security) header

securitycritical

Site missing Content-Security-Policy header

securityhigh

prefix_match_middleware_bug

Does your site have this security issue?

Run a free scan — we'll check all security patterns in 30 seconds.

Scan your site free →