Developer Tools

X-Frame-Options Checker — Clickjacking Header Scan

Fetch response headers and read checks.xFrame — DENY, SAMEORIGIN, or missing framing policy

How to Use This Tool

Enter full URL including https:// scheme.
URL passes SSRF-safe validation before server fetch.
Response headers populate checks.xFrame from x-frame-options header.
Present earns points in score; missing adds xFrame to missing array.
recommendations suggest DENY or SAMEORIGIN when absent.
Expand full headers map and checks.csp for frame-ancestors context.

About This Tool

Clickjacking attacks embed your authenticated pages in invisible iframes on attacker sites — X-Frame-Options and Content-Security-Policy frame-ancestors are the primary mitigations. VSPIC X-Frame-Options checker calls the security-headers action with your URL, returning checks.xFrame present flag, truncated header value, points contribution, plus full checks object, grade, score, missing array, recommendations, and raw headers map from the same fetch.

Focus on checks.xFrame for framing policy — but review checks.csp for frame-ancestors directives that supersede XFO in modern browsers. For dedicated framing vulnerability boolean, use clickjacking-test on the same URL. This page runs the full security-headers scan with X-Frame-Options SEO emphasis.

Common use cases

•Inspect HTTP headers and user-agent strings
•Analyze email headers for phishing investigation
•Generate strong passwords for staging environments

Why use VSPIC for ?

Direct checks.xFrame present and value fields for framing audit.
Full security-headers score context — not isolated header guesswork.
recommendations array for ticket-ready remediation text.
Raw headers map for manual CSP frame-ancestors review.
Grade summarizes overall header posture beyond XFO alone.
Free instant scan on public URLs.

X-Frame-Options values and semantics

DENY prevents all framing. SAMEORIGIN allows framing only from same origin. Legacy ALLOW-FROM is deprecated and inconsistently supported. Missing header leaves pages embeddable by default — clickjacking viable on state-changing actions.

checks.xFrame.value shows truncated header string up to two hundred forty characters. Presence earns eleven points in the security-headers score model.

CSP frame-ancestors interaction

Modern browsers prefer Content-Security-Policy frame-ancestors over X-Frame-Options when both present. checks.csp captures CSP presence — inspect full headers map for frame-ancestors none or self tokens.

A site with strong frame-ancestors may safely omit XFO — review both checks in results.

Relationship to security-headers-checker

x-frame-options-checker, referrer-policy-checker, x-xss-protection-checker, and permissions-policy-checker all call action security-headers with identical JSON. security-headers-checker is the canonical full-score page; this page emphasizes checks.xFrame for framing SEO.

API: GET /ip-tools/api/extended?action=security-headers&url=https://example.com

Relationship to clickjacking-test

clickjacking-test parses XFO and CSP frame-ancestors into vulnerable boolean for quick pass-fail. security-headers provides scored audit context. Use clickjacking-test for binary framing test; use this page for header value documentation in compliance reports.

Both complement ssl-grade transport checks — framing is application-layer browser enforcement.

Deployment patterns

Set X-Frame-Options DENY on admin and banking paths unless intentional embeds required. SAMEORIGIN for same-site widget embeds. Prefer migrating to CSP frame-ancestors for finer control.

CDN edge header injection ensures static assets inherit framing policy — verify HTML document response, not only API JSON endpoints.

Reading score and missing arrays

missing includes xFrame when absent. score sums present checks at eleven points each across nine header categories. grade A through F summarizes percentage of maxScore ninety-nine.

Fix xFrame first on sensitive authenticated routes — then address broader missing headers.

API and JSON reports

Copy JSON for SOC2 control evidence. checks.xFrame.present boolean automates in CI header regression tests.

Re-run after CDN or middleware deploys — headers regress frequently during infrastructure changes.

Authorized scanning

Scan URLs you own or may assess. Fetch contacts target servers — respect rate limits.

We do not permanently store scanned URLs.

Important notes & limitations

Scores presence only — ALLOW-FROM and weak values still earn points.
Does not execute browser iframe embed test — use clickjacking-test.
Single URL fetch — subresources not scanned individually.
Some hosts return different headers to bots versus browsers.
CSP frame-ancestors in checks.csp may protect even when XFO absent.

Frequently Asked Questions

Yes. VSPIC offers this X-Frame-Options checker at no cost with no account required. Results load in real time.

We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.

Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.

It reads X-Frame-Options presence and value. For boolean vulnerable assessment, use clickjacking-test which parses framing policy specifically.

security-headers with the url parameter.

Full headers and checks.csp are returned. Inspect CSP for frame-ancestors — it may protect framing even without XFO.

Same security-headers API. This page emphasizes checks.xFrame and clickjacking SEO framing.

Yes — presence earns points. ALLOW-FROM is deprecated and poorly supported — prefer DENY or CSP frame-ancestors.

Some paths serve different headers to bots. Redirect chains may affect which response headers we score.

Next step for your check

Continue with clickjacking test on VSPIC.

Clickjacking Test

Related Tools

Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.

Browse all tools Comparison guides

Trusted by Users Who Value Privacy

Always Free

No premium plan ever

100% Private

Files processed in browser

Instant Results

Convert in seconds

Works Everywhere

Any device, any OS