X-Frame-Options with deny does not block iframe

Question

I have an iRule as follows:when HTTP_RESPONSE {   &nbsp;&nbsp; if {!([HTTP::header exists "X-Frame-Options"])} {&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; HTTP::header insert X-Frame-Options "DENY"&nbsp;&nbsp; }}&nbsp;I expected the following page was blocked.&lt;html&gt;&nbsp;&lt;iframe src="https://abc.org/wfc/logon" title="description"&gt;&lt;/iframe&gt;&nbsp;&lt;head&gt;&lt;/head&gt;&nbsp;&lt;body&gt;&nbsp;&lt;/body&gt;&lt;/html&gt;&nbsp;But it was not blocked.What did I miss here ?&nbsp;thanks !!

gongya · Answer

After more reading, it seems the x-frame-options prevents the page in my server from being loaded by someone else, right ?

If I loaded another page in the same server within iframe, the page should be loaded ?

When I tested it, the page was still loaded within <iframe> page </iframe>. Is this supposed to be?

gongya · Answer

How can I test a page blocked by x-frame-options DENY ?&nbsp;

gongya · Answer

I figured it out.  thanks !!

Forum Discussion

X-Frame-Options with deny does not block iframe

3 Replies

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Cisco TACACS+ Config on ISE LTM Pair

Illegal Metacharacter in Parameter Name in Json Data

AS3 declaration to set cookie to preferred

SSL Bridging and FQDN rewrite Policy

Checking for X-Forwarded-For against an Address Data-Group

Related Content

Removing x-frame-options header from response when using APM

Clickjacking Protection Using X-FRAME-OPTIONS Available for Firefox

Set x-frames-options header values depending on URI

Applying APM on an iframe

Service Extensions with SSL Orchestrator: Advanced Blocking Pages

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS