Intermediate Standard

How do I add X-Frame-Options to my website?

By Angus Published 12 May 2026 Updated 14 May 2026 4 min read

X-Frame-Options is an HTTP response header that controls whether your website can be embedded inside an iframe on another domain. On servers running the PCI security configuration, NGINX sets X-Frame-Options: SAMEORIGIN by default, which blocks iframes from external domains. If a third-party service such as a payment widget or embedded tool is being blocked, you can override this behaviour in your .htaccess file.

This guide covers how to allow a specific domain to embed your site, and how to remove the restriction globally if needed.

Before you begin

  • You need access to your website’s .htaccess file via cPanel File Manager or an FTP client.
  • We recommend taking a backup of your .htaccess file before making changes.
  • Your hosting account must be running Apache, or have Apache handling .htaccess directives. The mod_headers module must be active.

Why X-Frame-Options is blocked by default

Servers with the PCI security configuration have NGINX set to apply X-Frame-Options: SAMEORIGIN to all responses automatically. This prevents your site from being loaded inside an iframe on any external domain, which is a common defence against clickjacking attacks. The downside is that legitimate third-party embeds, such as payment forms or booking widgets, are also blocked.

You can override this at the application level using an .htaccess directive, which takes precedence for your site’s responses.

Allow a specific domain to embed your site

The recommended approach is to permit only the domain that legitimately needs to embed your site. This keeps your site protected from other external domains while allowing the specific integration to work.

  1. Open your .htaccess file.
    Log in to cPanel and navigate to File Manager. Locate .htaccess in your website’s root directory, typically public_html. Right-click the file and select Edit.
  2. Add the allow-from directive.
    Add the following line, replacing the example URL with the domain that needs to embed your site.
Header set X-Frame-Options "ALLOW-FROM https://www.example.com/"
  1. Save the file.
    Click Save Changes in File Manager, then reload your site to confirm the embed now works.
cPanel File Manager editor showing the .htaccess file with an X-Frame-Options Header set directive
Editing .htaccess in cPanel File Manager.

Your site can now be embedded by the specified domain while remaining blocked for all others.

A note on browser support for ALLOW-FROM

The ALLOW-FROM directive is deprecated and no longer supported in Chrome or Firefox. If the embedding domain uses either of these browsers, the directive will have no effect and the iframe will still be blocked. The modern replacement is the Content-Security-Policy header using the frame-ancestors directive.

Add the following line to your .htaccess file alongside the X-Frame-Options directive to cover modern browsers. Replace the example URL with the domain that needs to embed your site.

Header set Content-Security-Policy "frame-ancestors 'self' https://www.example.com/"

Using headers together gives the widest browser coverage: X-Frame-Options covers older browsers that do not support CSP, while frame-ancestors covers modern ones.

Remove the X-Frame-Options header globally

If you need to allow embedding from any domain without restriction, you can unset the header entirely. We do not recommend this approach as it removes clickjacking protection for your site.

To remove the header globally, add the following line to your .htaccess file.

Header always unset X-Frame-Options

This removes the X-Frame-Options header from all responses, allowing any domain to embed your site in an iframe.

Troubleshooting

The iframe is still blocked after editing .htaccess

If the embed is still blocked after saving your changes, the NGINX-level header may be overriding the Apache directive before it reaches the browser. Check the following:

  • Confirm the .htaccess file is saved in the correct root directory for the domain.
  • Use your browser’s developer tools (Network tab) to inspect the response headers and confirm which value is being sent.
  • If the NGINX header is still present, raise a support ticket so the server-level configuration can be reviewed.

The embed works in some browsers but not others

This is the expected behaviour when only the ALLOW-FROM directive is set. Chrome and Firefox ignore ALLOW-FROM entirely. Add the Content-Security-Policy: frame-ancestors header as described above to resolve this for modern browsers.

Wrapping up

You have configured X-Frame-Options in your .htaccess file to control how your site can be embedded in iframes. Using ALLOW-FROM alongside a Content-Security-Policy: frame-ancestors directive gives the broadest browser coverage while keeping your site protected from unauthorised embedding.

If you need to make further changes to your server headers or security configuration, see our guides on managing NGINX in cPanel and fixing website error codes. For broader site security, the website security guide on our blog covers additional steps you can take.

Our cPanel hosting plans give you full access to your .htaccess file and File Manager so you can manage headers and configuration directly.

UWH
SAVE 16%

Your Website Supercharged

Solo cPanel Hosting

£2.99 £2.09/mo

GET WEB HOSTING

Categories

Ready to get started?

Launch your website with our reliable cPanel hosting with unlimited bandwidth and expert support.

Get cPanel Hosting

Need a domain?

Find and register the perfect domain name for your website.

Search Domains