Why your site has no 'X-Frame-Options' header
2 min read
What you saw
A security scanner flagged that your site doesn't return an X-Frame-Options header. The scan called this a security gap.
Why we don't set X-Frame-Options
X-Frame-Options was the 2010-era way to prevent your site from being embedded inside an attacker's webpage (a "clickjacking" attack). Modern browsers have moved on. Your site uses the newer, more flexible mechanism: the frame-ancestors directive inside your Content-Security-Policy header.
Look at the CSP header on your site:
frame-ancestors 'self' https://app.siteglowup.ai https://staging-app.siteglowup.aiThat line says: only your own pages and your SiteGlowUp dashboard can embed your site in an iframe. Anyone else who tries gets a blank box. That's exactly the protection X-Frame-Options provided — only more precise and more configurable.
Why the scanner still complains
The scanner runs a 1-by-1 checklist of headers from oldest to newest. It checks for X-Frame-Options independently of frame-ancestors. Modern security guidance (OWASP, MDN, every major browser vendor) says: if you have frame-ancestors, the X-Frame-Options header is redundant — and shouldn't be set, because the two can conflict.
What you can do
Click Dismiss on the recommendation. Your site is protected; the scanner is just reading from an outdated playbook. We continue to monitor the security-headers landscape and will update if browser behavior changes.