X-Frame-Options - HTTP | MDN[
^]
If you can still load your page in an
<iframe>
, then either you haven't set the header properly, or you are using a really old browser which doesn't support the header - eg: Internet Explorer 7.
NB: In more recent browsers, the
X-Frame-Options
header is essentially obsolete. It can be replaced with the
frame-ancestors
directive of your content security policy.
Content-Security-Policy - HTTP | MDN[
^]
CSP Cheat Sheet[
^]