---
title: "How to Add Referrer-Policy and X-Frame-Options in Zenphoto"
description: "After installing the Zenphoto image gallery content management system (CMS), available in Softaculous, there are multiple ways to easily improve website security: Force HTTPS (SSL certificate)Enforce..."
url: https://www.inmotionhosting.com/support/website/zenphoto-referrer-policy-and-x-frame-options/
date: 2020-04-09
modified: 2022-05-31
author: "InMotion Hosting Contributor"
categories: ["Website"]
type: post
lang: en
---

# How to Add Referrer-Policy and X-Frame-Options in Zenphoto

After installing the [**Zenphoto**](https://www.zenphoto.org/) image gallery content management system (CMS), [avail](https://www.inmotionhosting.com/support/product-guides/softaculous/install-software-softaculous/)[a](https://www.inmotionhosting.com/support/product-guides/softaculous/install-software-softaculous/)[ble in Softaculous](https://www.inmotionhosting.com/support/product-guides/softaculous/install-software-softaculous/), there are multiple ways to easily improve website security:

- [Force HTTPS (SSL certificate)](https://www.inmotionhosting.com/support/website/force-https-in-zenphoto/)
- Enforce minimum password strength
- Data privacy settings for GDPR and CCPA compliance

But as stated in our [Web Hosting New Year’s Resolutions for 2020](https://www.inmotionhosting.com/blog/5-web-hosting-new-years-resolutions-for-2020/#security) blog earlier this year, there are multiple ways to improve website security regardless of your type of website or server hosting plan. Users with access to raw server files via [cPanel](https://www.inmotionhosting.com/support/edu/cpanel/), [Webmin](https://www.inmotionhosting.com/support/product-guides/cloud-server/how-to-install-webmin-on-centos/), Secure Shell [(SSH)](https://www.inmotionhosting.com/support/server/ssh/do-you-provide-ssh-access/), or other server administration methods can directly edit the [.htaccess file](https://www.inmotionhosting.com/support/website/where-is-my-htaccess-file/). This is the most common location for security HTTP headers including [HTTP Strict Transport Security (HSTS)](https://www.inmotionhosting.com/support/website/hsts-in-zenphoto/) and Content Security Policy (CSP).

Zenphoto users can easily add such HTTP headers with the **http****_security_headers** plugin. Below we cover:

- [X-Frame-Options](#x-frames)
- [Referrer-Policy](#referrer)

If you are interested in custom security options for Zenphoto (and other apps) you might also be interested to learn more about the [fully managed VPS hosting](https://www.inmotionhosting.com/vps-hosting) accounts.

## Add X-Frame-Options in Zenphoto

**X-Frame-Options** determines whether browsers will allow your website to display *within* other websites via HTML embedding tags to protect against clickjacking and related man-in-the-middle (MITM) attacks.

1. [Log into Zenphoto](https://www.inmotionhosting.com/support/website/login-zenphoto/)
2. [Install the **http_security_headers** plugin](https://www.inmotionhosting.com/support/website/install-zenphoto-plugin/) in the *Security* category
3. Click the gear icon to change settings
4. At the bottom, under *Other headers*, specify your **X-Frame-Options**:**disabled** – allow your webpages to be embedded within any website (default)**deny** – webpages cannot be displayed in a frame (recommended)**sameorigin** – webpages can be framed in the same webpage**allow-from** – webpages can be framed within the same URI (doesn’t work in newer browsers)[![](https://www.inmotionhosting.com/support/wp-content/uploads/2020/04/zenphoto-x-frame-options-1024x124.png)](https://www.inmotionhosting.com/support/wp-content/uploads/2020/04/zenphoto-x-frame-options.png)Recommended X-Frame-Options in Zenphoto
5. If you selected *allow-from*, add domains allowed to embed your webpages in **X-Frame-Options – allow-from hosts**
6. At the bottom, select **Apply**

## Add Referrer-Policy in Zenphoto

**Referrer-policy** determines how much information is sent through with `referer` header in URI requests. This prevents URLs with sensitive information (e.g. user credentials and private files) from showing up in [web analytics software logs](https://www.inmotionhosting.com/support/website/analytics/choose-the-best-analytics-tool/).

1. If you have the [**http_security_headers plugin** installed](https://www.inmotionhosting.com/support/website/install-zenphoto-plugin/) already, select **Options**, then **Plugin** from the top navigation menu
2. Select **http_security_headers**
3. At the bottom, under *Other headers*, specify **Referrer-Policy** from the drop-down menu:**disabled** – No preference**no-referrer** – No referrer info sent**no-referrer-when-downgrade** – Full URL sent unless HTTPS to HTTP page (default)**origin** – Only origin**origin-when-cross-origin** – Full URL for within the same site, but only origin for others**same-origin** – Only origin (root domain – e.g. example.com instead of example.com/page1) for within the same site**strict-origin** – Origin only when protocol security level is the same (e.g. HTTPS > HTTPS)**strict-origin-when-cross-origin** – Full URL when within site, only origin when protocol security level is the same (e.g. HTTPS > HTTPS), and no info from HTTPS to HTTP**unsafe-url** – Full URL (not recommended)[![](https://www.inmotionhosting.com/support/wp-content/uploads/2020/04/zenphoto-referrer-1024x185.png)](https://www.inmotionhosting.com/support/wp-content/uploads/2020/04/zenphoto-referrer.png)Recommended Referrer-Policy Setting in Zenphoto
4. At the bottom, select **Apply**

You can view your website HTTP headers with the Zenphoto **HTTP header inspector**.
