How do I fix missing x frame options on WooCommerce?

Install the free 'Headers Security Advanced & HSTS WP' plugin (or 'HTTP Headers' by John Blackbourn) from WordPress.org plugins — search in WP Admin → Plugins → Add New. In the plugin settings, enable X-Frame-Options and set the value to SAMEORIGIN (or DENY if you never iframe your own pages). Alternatively, add the following to your theme's functions.php or a site-specific plugin: add_action('send_headers', function(){ header('X-Frame-Options: SAMEORIGIN'); }); If your hosting uses Nginx, ask your host to add 'add_header X-Frame-Options SAMEORIGIN always;' inside the server{} block; for Apache, add 'Header always set X-Frame-Options SAMEORIGIN' to your .htaccess or VirtualHost config. Verify by visiting your storefront, opening DevTools → Network → document request → Response Headers.

How to fix missing x frame options on WooCommerce

Add an X-Frame-Options HTTP response header set to DENY or SAMEORIGIN to prevent your store's pages from being embedded in iframes on other websites.

Steps for WooCommerce

Install the free 'Headers Security Advanced & HSTS WP' plugin (or 'HTTP Headers' by John Blackbourn) from WordPress.org plugins — search in WP Admin → Plugins → Add New.
In the plugin settings, enable X-Frame-Options and set the value to SAMEORIGIN (or DENY if you never iframe your own pages).
Alternatively, add the following to your theme's functions.php or a site-specific plugin: add_action('send_headers', function(){ header('X-Frame-Options: SAMEORIGIN'); });
If your hosting uses Nginx, ask your host to add 'add_header X-Frame-Options SAMEORIGIN always;' inside the server{} block; for Apache, add 'Header always set X-Frame-Options SAMEORIGIN' to your .htaccess or VirtualHost config.
Verify by visiting your storefront, opening DevTools → Network → document request → Response Headers.

Official WooCommerce documentation ↗

X-Frame-Options: SAMEORIGIN

# Apache (.htaccess or VirtualHost):
Header always set X-Frame-Options SAMEORIGIN

# Nginx (server block):
add_header X-Frame-Options SAMEORIGIN always;

# Defence-in-depth — also add via CSP:
Content-Security-Policy: frame-ancestors 'self';

What is missing x frame options?

The X-Frame-Options header is a security instruction your web server sends to browsers telling them whether your pages are allowed to be loaded inside an iframe (an embedded frame inside another webpage). When this header is missing, any website in the world can silently embed your store inside their own page. The two safe values are DENY (your pages can never be framed by anyone, including yourself) and SAMEORIGIN (only pages on your own domain can frame your pages). Most stores should use SAMEORIGIN unless they have no legitimate need for iframing their own content, in which case DENY is the stronger choice.

Without this header, attackers can load your store's checkout or login page invisibly inside a malicious site and trick your customers into clicking buttons or entering credentials they think are on a trusted page — a well-known attack called "clickjacking." This can lead to stolen customer credentials, fraudulent orders, and credit card theft, exposing your business to liability and reputational damage. Search engines and security scanners flag the missing header as a misconfiguration (OWASP A05:2021), which can hurt your trust signals and put you at risk of failing PCI-DSS compliance checks if you accept card payments. Adding this header is a low-effort, high-impact fix that closes this attack vector entirely in modern browsers.

See the complete Missing x frame options guide for every platform and the full background.

Not sure if your WooCommerce store has this?

Run a free SEOLZ audit — we’ll find missing x frame options and every other issue across your whole site.

Scan my site free

How to fix missing x frame options on WooCommerce

Steps for WooCommerce

What is missing x frame options?

Not sure if your WooCommerce store has this?

Fix missing x frame options on another platform