Products + All Products + Software Integrity + Semiconductor IP + Verification + Design + Silicon Engineering
The final and more modern option is to use Content Security Policy (CSP) and its frame-ancestors directive. This directive allows the application developer to disallow all frame use or specify where it is allowed, similar to X-Frame-Options. CSP is not available in all browsers, and browser plugins and add-ons may be able to bypass the policy. If both the X-Frame-Options header and CSP frame-ancestors are used, browsers are supposed to prefer CSP’s directives, but not all will.
Possible CSP frame-ancestor settings:
Content-Security-Policy: frame-ancestors 'none'
Content-Security-Policy: frame-ancestors 'self'
Content-Security-Policy: frame-ancestors example.com
Because none of these defenses are perfect, defense-in-depth is a good practice, and there is nothing wrong with using all three defenses on your websites.