Add X-Frame-Options in Drupal 8 with the Security Kit Module

The X-Frame-Options HTTP header specifies whether your Drupal website can be displayed within other websites with the <frame>, <iframe>, <object>, or <embed> HTML tags. This improves Drupal security against clickjacking and related cyber attacks.

Below we’ll cover how to install the Security Kit module and enable X-Frames-Options.

Mozilla recommends using the superseding Content Security Policy frame-ancestors attribute instead.

Install Security Kit

  1. Login to Drupal.
  2. Install the Drupal module using the Security Kit download link.
  3. Click Install at the bottom.
  4. Click Configuration at the top.


  1. Under System, Click Security Kit settings.
  2. Under Clickjacking, click X-Frame-Options Header for options.
  3. Select an X-Frames-Options HTTP header:
    SAMEORIGIN – your website can be framed in the same webpage (default option)
    DENY – website cannot be displayed in a frame
    ALLOW-FROM – website can only be framed within URIs specified below; may not work in newer browsers.
  4. At the bottom, click Save configuration.
Configure an X-Frame-Options response header
Enable X-Frames-Options if you’re not using Content Security Policy yet

Get high performance and security with our VPS Drupal Hosting.


It looks like this article doesn't have any comments yet - you can be the first. If you have any comments or questions, start the conversation!

Was this article helpful? Let us know!