How to fix x frame options weak on WooCommerce

Steps for WooCommerce

1. Install the free plugin 'HTTP Headers' (by David Gwyer) or 'Security Headers' from the WordPress plugin directory.
2. In WordPress admin go to Settings → HTTP Headers (or the plugin's menu), find X-Frame-Options, set the value to DENY, and save.
3. Alternatively, edit your theme's functions.php (or a site-specific plugin): add add_action('send_headers', function(){ header('X-Frame-Options: DENY'); });
4. Or add it directly in your .htaccess file (Apache): Header always set X-Frame-Options "DENY"
5. Or in Nginx server block: add_header X-Frame-Options "DENY" always; — place inside the server {} block and reload Nginx.
6. Verify with DevTools → Network → document response headers.

X-Frame-Options: DENY

What is x frame options weak?

The X-Frame-Options HTTP header is a one-line instruction your web server sends to every visitor's browser telling it whether your store's pages are allowed to be loaded inside an iframe (a "page within a page") on another website. There are two safe values: DENY (no site, including your own, can frame your pages) and SAMEORIGIN (only pages on your own domain can frame them). A weak or absent value means any website on the internet can load your store inside an invisible or disguised iframe — a classic attack called clickjacking.

Clickjacking lets attackers overlay your real checkout or login page inside a transparent iframe on a fake site, tricking customers into clicking buttons they can't see — handing over payment details, credentials, or completing purchases they didn't intend. This is a direct revenue, fraud, and brand-trust risk. It also violates PCI-DSS requirements around protecting cardholder data environments and can expose you to legal liability if customers are defrauded through your site. Google's Safe Browsing program can flag sites involved in such abuse, which destroys organic search rankings overnight.

See the complete X frame options weak guide for every platform and the full background.