How to add X-Frame-Options header to a simple HTML file?

X-Frame-Options is an HTTP header. As such, it's not part of HTML and can't be set inside an HTML document.

One reason why it's an HTTP header only is that clients should be able to decide if the document is allowed to be embedded in a frame before parsing the HTML code.

Hence, you can't achieve that by editing the file but you need to modify the server's HTTP response. Typically, this is done in the settings provided by the web server software or with a server-side language.

E.g., a setting in Apache could look like this:

Header always append X-Frame-Options DENY

Or, in PHP you could set the header like that:

<?php header('X-Frame-Options: DENY'); ?>

Note that there is a more modern CSP equivalent frame-ancestors. But while some CSP policies can be set as <meta> tags, that's not possible here. This does not work:

<head>
  <!-- This does *not* work! -->
  <meta http-equiv="Content-Security-Policy" content="frame-ancestors 'none'">
</head>

Also have a look at the Clickjacking Defense Cheat Sheet for an overview of clickjacking defense measures beyond setting the XFO header.


The X-Frame-Options header is added on the server-side, not the client. This is because the header is used to control how the browser should render the page.

Whatever server is hosting your file would have to add this header.