How Can You Prevent Third-Party Sites from Embedding Your Website in an Iframe?

Preventing Third-Party Site Embedding

When developing websites, it's crucial to prevent unauthorized framing of your site's pages within third-party iframes. This practice can compromise user privacy and potentially harm your site's reputation. To address this issue, consider implementing the following solutions:

Server-Side Detection

Until recently, detecting if your page is embedded within an iframe on the server-side was impossible. The referrer request header, often used to determine the source of a user's request, may not be reliable in these scenarios.

Client-Side Detection

Fortunately, JavaScript offers a solution. Using the following code, you can check for embedded frames after the page has loaded:

<code class="javascript">if (top !== self) {
  // Your page is embedded in an iframe
}</code>

HTTP Headers

Modern browsers also support the X-FRAME-OPTIONS HTTP header, which allows you to specify how your page should be framed. This header can take the following values:

• DENY: Prevents the page from being rendered within an iframe.

• SAMEORIGIN: Allows the page to be framed only if the top-level frameset holder belongs to the same domain as your page.

  browsers that support this header include IE8, Opera 10.50, Safari 4, Chrome 4.1.249.1042, and Firefox 3.6.9 (with NoScript).

The above is the detailed content of How Can You Prevent Third-Party Sites from Embedding Your Website in an Iframe?. For more information, please follow other related articles on the PHP Chinese website!