SEOLZ

Missing x frame options

Quick win

Add an X-Frame-Options HTTP response header set to DENY or SAMEORIGIN to prevent your store's pages from being embedded in iframes on other websites.

What it is

The X-Frame-Options header is a security instruction your web server sends to browsers telling them whether your pages are allowed to be loaded inside an iframe (an embedded frame inside another webpage). When this header is missing, any website in the world can silently embed your store inside their own page. The two safe values are DENY (your pages can never be framed by anyone, including yourself) and SAMEORIGIN (only pages on your own domain can frame your pages). Most stores should use SAMEORIGIN unless they have no legitimate need for iframing their own content, in which case DENY is the stronger choice.

Why it matters

Without this header, attackers can load your store's checkout or login page invisibly inside a malicious site and trick your customers into clicking buttons or entering credentials they think are on a trusted page — a well-known attack called "clickjacking." This can lead to stolen customer credentials, fraudulent orders, and credit card theft, exposing your business to liability and reputational damage. Search engines and security scanners flag the missing header as a misconfiguration (OWASP A05:2021), which can hurt your trust signals and put you at risk of failing PCI-DSS compliance checks if you accept card payments. Adding this header is a low-effort, high-impact fix that closes this attack vector entirely in modern browsers.

How to fix it

  1. Decide on the right value: choose DENY if no part of your store needs to be embedded in an iframe on any site (including your own), or SAMEORIGIN if you embed your own pages (e.g., a store widget on a subdomain).
  2. Locate where HTTP response headers are configured for your store — this is typically your web server config (Nginx/Apache), a CDN/proxy layer (Cloudflare, Fastly), your hosting control panel, or your platform's built-in security settings.
  3. Add the header: X-Frame-Options: DENY (or SAMEORIGIN) to every HTTP response, not just the homepage — it must apply site-wide.
  4. If your platform or server also supports Content-Security-Policy, add the frame-ancestors directive as well (e.g., frame-ancestors 'none' or frame-ancestors 'self') because CSP frame-ancestors supersedes X-Frame-Options in modern browsers and provides defence-in-depth.
  5. Deploy the change and verify it is present by loading any page of your store in a browser, opening DevTools (F12) → Network tab → click the document request → inspect the Response Headers section and confirm X-Frame-Options appears with the correct value.
  6. Test that legitimate functionality (payment iframes, embedded maps, chat widgets served from your own domain) still works; those third-party scripts run inside their own sandboxed iframes and are not affected by your site setting this header on its own pages.
X-Frame-Options: SAMEORIGIN

# Apache (.htaccess or VirtualHost):
Header always set X-Frame-Options SAMEORIGIN

# Nginx (server block):
add_header X-Frame-Options SAMEORIGIN always;

# Defence-in-depth — also add via CSP:
Content-Security-Policy: frame-ancestors 'self';

Fix it on your platform

Pick your platform for the exact steps.

How to fix missing x frame options on Shopify
  1. Shopify's core platform automatically sets X-Frame-Options: DENY on all storefront pages — verify this is still true by checking Response Headers in browser DevTools.
  2. If you use a custom Shopify app or third-party proxy that strips headers, contact that app's support to ensure they pass through or re-add the header.
  3. For Shopify Plus merchants using a custom domain behind Cloudflare: in your Cloudflare dashboard go to Rules → Transform Rules → Response Header Modification → Create Rule → Add Header: X-Frame-Options = SAMEORIGIN, apply to all requests.
Full Shopify guide →Official Shopify docs ↗
How to fix missing x frame options on Shopify Plus
  1. Same as Shopify — the platform sets this header by default.
  2. If your Shopify Plus store is routed through a custom reverse proxy or CDN (Cloudflare, Fastly, Akamai), confirm the header is not being stripped at that layer.
  3. In Cloudflare: Rules → Transform Rules → Response Header Modification → Add X-Frame-Options: SAMEORIGIN for all hostname matches.
Full Shopify Plus guide →Official Shopify Plus docs ↗
How to fix missing x frame options on WooCommerce
  1. Install the free 'Headers Security Advanced & HSTS WP' plugin (or 'HTTP Headers' by John Blackbourn) from WordPress.org plugins — search in WP Admin → Plugins → Add New.
  2. In the plugin settings, enable X-Frame-Options and set the value to SAMEORIGIN (or DENY if you never iframe your own pages).
  3. Alternatively, add the following to your theme's functions.php or a site-specific plugin: add_action('send_headers', function(){ header('X-Frame-Options: SAMEORIGIN'); });
  4. If your hosting uses Nginx, ask your host to add 'add_header X-Frame-Options SAMEORIGIN always;' inside the server{} block; for Apache, add 'Header always set X-Frame-Options SAMEORIGIN' to your .htaccess or VirtualHost config.
  5. Verify by visiting your storefront, opening DevTools → Network → document request → Response Headers.
Full WooCommerce guide →Official WooCommerce docs ↗
How to fix missing x frame options on BigCommerce
  1. BigCommerce does not expose direct server-header configuration in the store admin for the storefront.
  2. Place your BigCommerce storefront behind Cloudflare (free tier works): in Cloudflare go to Rules → Transform Rules → Response Header Modification → Create Rule → Add Header: X-Frame-Options = SAMEORIGIN → deploy to all requests for your domain.
  3. Alternatively, contact BigCommerce Support and request that X-Frame-Options: SAMEORIGIN be added to your store's response headers at the platform level.
  4. Verify the header is present using DevTools → Network → Response Headers on any storefront page.
Full BigCommerce guide →Official BigCommerce docs ↗
How to fix missing x frame options on Wix
  1. Wix manages server infrastructure and sets security headers on your behalf; direct HTTP header configuration is not available to site owners.
  2. Check your current headers using browser DevTools or a header-checker tool; Wix has added X-Frame-Options: SAMEORIGIN to most sites by default.
  3. If the header is missing, report it to Wix Support — they control the server-level configuration.
  4. If your Wix site is proxied through Cloudflare using an orange-cloud DNS record, you can add the header via Cloudflare Rules → Transform Rules → Response Header Modification.
Full Wix guide →Official Wix docs ↗
How to fix missing x frame options on Squarespace
  1. Squarespace controls server-level headers and sets X-Frame-Options: SAMEORIGIN by default for most pages.
  2. Verify the header is present on your storefront pages via DevTools → Network → Response Headers.
  3. If missing, contact Squarespace Support — direct HTTP header configuration is not exposed in the Squarespace admin panel.
  4. If your domain is proxied through Cloudflare, add the header via Rules → Transform Rules → Response Header Modification → Add X-Frame-Options: SAMEORIGIN.
Full Squarespace guide →Official Squarespace docs ↗
How to fix missing x frame options on Webflow
  1. In your Webflow project, go to Project Settings → Security (or the 'Hosting' tab, depending on your plan) — Webflow allows you to add custom HTTP response headers for sites on the paid hosting plans.
  2. Under 'Custom Response Headers', click Add Header, enter Name: X-Frame-Options, Value: SAMEORIGIN, and save.
  3. Publish your site for the change to take effect.
  4. Verify via DevTools → Network → Response Headers on any published page.
  5. If you host Webflow via a custom server/export, add the header in your Nginx or Apache config as described in the WooCommerce steps above.
Full Webflow guide →Official Webflow docs ↗
How to fix missing x frame options on Adobe Commerce (Magento)
  1. In the Magento Admin Panel, go to Stores → Configuration → General → Web → Default Pages — check if a built-in X-Frame-Options setting exists (Magento 2.x exposes this under Stores → Configuration → Security).
  2. For Magento 2.x: go to Stores → Configuration → Security → set 'X-Frame-Options Header' to SAMEORIGIN and save.
  3. Alternatively, open your Nginx server block config (typically /etc/nginx/sites-available/your-store.conf) and add inside the server{} block: add_header X-Frame-Options SAMEORIGIN always; Then reload Nginx: sudo nginx -s reload
  4. For Apache: open your .htaccess or VirtualHost config and add: Header always set X-Frame-Options SAMEORIGIN Then restart Apache.
  5. Flush the Magento full-page cache: System → Cache Management → Flush Cache Storage.
  6. Verify via DevTools → Network → Response Headers.
Full Adobe Commerce (Magento) guide →Official Adobe Commerce (Magento) docs ↗
How to fix missing x frame options on Magento Open Source
  1. Same as Adobe Commerce (Magento) above.
  2. In Magento 2 Open Source admin: Stores → Configuration → Security → X-Frame-Options Header → set to SAMEORIGIN.
  3. Flush the full-page cache after saving: System → Cache Management → Flush Cache Storage.
  4. For server-level enforcement, add 'add_header X-Frame-Options SAMEORIGIN always;' to your Nginx server block or 'Header always set X-Frame-Options SAMEORIGIN' in your Apache config.
Full Magento Open Source guide →Official Magento Open Source docs ↗
How to fix missing x frame options on PrestaShop
  1. In your PrestaShop hosting environment, open your .htaccess file (root of your PrestaShop installation) and add: Header always set X-Frame-Options SAMEORIGIN
  2. If using Nginx, add to your server{} block: add_header X-Frame-Options SAMEORIGIN always;
  3. Alternatively, install a security-headers module from the PrestaShop Marketplace (search 'security headers') which adds X-Frame-Options via a back-office toggle.
  4. Clear PrestaShop cache: Advanced Parameters → Performance → Clear Cache.
  5. Verify via DevTools → Network → Response Headers.
Full PrestaShop guide →Official PrestaShop docs ↗
How to fix missing x frame options on OpenCart
  1. Open the .htaccess file in the root of your OpenCart installation and add: Header always set X-Frame-Options SAMEORIGIN
  2. If your host uses Nginx, add 'add_header X-Frame-Options SAMEORIGIN always;' to the server block for your domain.
  3. Some OpenCart hosting control panels (cPanel/Plesk) allow adding custom headers under 'Apache Handlers' or 'HTTP Headers' modules — look for a Headers section in your cPanel.
  4. Verify via DevTools → Network → Response Headers.
Full OpenCart guide →Official OpenCart docs ↗
How to fix missing x frame options on Cloudflare (CDN/Proxy)
  1. Log in to your Cloudflare dashboard and select your domain.
  2. Go to Rules → Transform Rules → Response Header Modification.
  3. Click Create Rule, give it a name like 'Add X-Frame-Options'.
  4. Set Field: Hostname, Operator: equals, Value: yourdomain.com (or use a wildcard).
  5. Under Then: Set Header → Header Name: X-Frame-Options, Value: SAMEORIGIN.
  6. Save and deploy. The header will be injected into all responses passing through Cloudflare.
Full Cloudflare (CDN/Proxy) guide →

Does your site have this issue?

Run a free SEOLZ audit to find missing x frame options — and every other issue — across your whole site in minutes.

Scan my site free

Frequently asked questions

What is Missing x frame options?

The X-Frame-Options header is a security instruction your web server sends to browsers telling them whether your pages are allowed to be loaded inside an iframe (an embedded frame inside another webpage). When this header is missing, any website in the world can silently embed your store inside their own page. The two safe values are DENY (your pages can never be framed by anyone, including yourself) and SAMEORIGIN (only pages on your own domain can frame your pages). Most stores should use SAMEORIGIN unless they have no legitimate need for iframing their own content, in which case DENY is the stronger choice.

Why does missing x frame options matter?

Without this header, attackers can load your store's checkout or login page invisibly inside a malicious site and trick your customers into clicking buttons or entering credentials they think are on a trusted page — a well-known attack called "clickjacking." This can lead to stolen customer credentials, fraudulent orders, and credit card theft, exposing your business to liability and reputational damage. Search engines and security scanners flag the missing header as a misconfiguration (OWASP A05:2021), which can hurt your trust signals and put you at risk of failing PCI-DSS compliance checks if you accept card payments. Adding this header is a low-effort, high-impact fix that closes this attack vector entirely in modern browsers.

How do I fix missing x frame options?

Add an X-Frame-Options HTTP response header set to DENY or SAMEORIGIN to prevent your store's pages from being embedded in iframes on other websites.

Authoritative references

Related Security (OWASP) issues