X-Frame-Options
X-Frame-Options prevents clickjacking attacks by controlling whether your site can be embedded in iframes on other domains. SaaSalyst checks whether your server sends this header, detecting a missing protection against one of the most common web attack vectors.
What SaaSalyst Checks
SaaSalyst inspects the HTTP response headers for the X-Frame-Options header. Common values are DENY (never allow framing) and SAMEORIGIN (only allow framing by pages on your own domain).
Why This Matters
Clickjacking attacks trick users into clicking on hidden elements overlaid on your site within an iframe. This can lead to unauthorized actions: changing account settings, making payments, or sharing data.
For SaaS products with any user interaction (login forms, settings pages, payment flows), clickjacking protection is essential. Without it, an attacker can embed your login page in a malicious site and capture credentials.
The modern replacement for X-Frame-Options is the frame-ancestors directive in Content-Security-Policy, but X-Frame-Options provides broader browser compatibility.
40%
Higher secret exposure in repos using AI coding assistants
GitGuardian 2025 Report
400+
Exposed secrets found across 5,600 vibe-coded apps
Escape.tech
How to Fix It
- Add the X-Frame-Options header to your server responses: X-Frame-Options: DENY (blocks all framing) or X-Frame-Options: SAMEORIGIN (allows same-domain framing).
- For Vercel or Next.js, configure this in next.config.js headers section or vercel.json.
- If your product needs to be embedded (e.g., widget functionality), use SAMEORIGIN or the CSP frame-ancestors directive for more granular control.
Frequently Asked Questions
How does SaaSalyst check for X-Frame-Options?
SaaSalyst inspects your server's HTTP response headers for X-Frame-Options. If present (DENY or SAMEORIGIN), the check passes.
What is clickjacking?
Clickjacking overlays your site in a hidden iframe on a malicious page, tricking users into interacting with your site unknowingly. SaaSalyst checks X-Frame-Options because it prevents this attack class.
How does X-Frame-Options affect my Business Readiness Score?
SaaSalyst rates X-Frame-Options as medium severity in Security & Infrastructure. It's a standard security header that protects against clickjacking attacks.
References & Official Sources
Official regulatory and standards sources relevant to the checks SaaSalyst runs on your site.
- OWASP Top 10— OWASP
- Security Headers Reference— Mozilla
- HSTS Preload List— Google
Check Your SaaS Now — Free
SaaSalyst scans your website in 30 seconds and checks for X-Frame-Options along with 40+ other business readiness signals.
Scan Your App