Sign in with Microsoft
Sign in or create an account.
Select a different account.
You have multiple accounts
Choose the account you want to sign in with.


Framesniffing is an attack technique that takes advantage of browser functionality to steal data from a website. Web applications that allow their content to be hosted in a cross-domain IFRAME may be vulnerable to this attack.

Administrators can mitigate framesniffing by configuring IIS to send an HTTP response header that prevents content from being hosted in a cross-domain IFRAME.

More information

The X-Frame-Options header can be used to control whether a page can be placed in an IFRAME. Because the Framesniffing technique relies on being able to place the victim site in an IFRAME, a web application can protect itself by sending an appropriate X-Frame-Options header.

To configure IIS to add an X-Frame-Options header to all responses for a given site, follow these steps:

  1. Open Internet Information Services (IIS) Manager.

  2. In the Connections pane on the left side, expand the Sites folder and select the site that you want to protect.

  3. Double-click the HTTP Response Headers icon in the feature list in the middle.

  4. In the Actions pane on the right side, click Add.

  5. In the dialog box that appears, type X-Frame-Options in the Name field and type SAMEORIGIN in the Value field.

  6. Click OK to save your changes.

If you have other sites that need this configuration, repeat steps 2 through 6 for those sites also.

This change will prevent HTML pages on other domains from hosting your site in an IFRAME. For example, if the Contoso IT department applies this change to, pages at will no longer be able to display content from in an IFRAME.

You can modify the value of the X-Frame-Options header to allow to frame while blocking all other domains. To do this, change the value of the X-Frame-Options header in step 5 to ALLOW-FROM

For more information about the X-Frame-Options header, see this MSDN blog post.

To revert the change, follow these steps:

  1. Open Internet Information Services (IIS) Manager.

  2. In the Connections pane on the left side, expand the Sites folder, and select the site where you made this change.

  3. In the feature list in the middle, double-click the HTTP Response Headers icon.

  4. In the list of headers that appears, select X-Frame-Options.

  5. Click Remove in the Actions pane on the right side.

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.

Was this information helpful?

What affected your experience?
By pressing submit, your feedback will be used to improve Microsoft products and services. Your IT admin will be able to collect this data. Privacy Statement.

Thank you for your feedback!