X-Frame-Options Header Checker

Checks whether a website returns X-Frame-Options response header to help prevent clickjacking.

Modern note: Many sites use CSP frame-ancestors instead of (or in addition to) X-Frame-Options. This Actor reports both.

What the Actor does

For each URL it:

1. Fetches response headers (HEAD first, optional GET fallback)
2. Parses X-Frame-Options (supports DENY, SAMEORIGIN, flags deprecated ALLOW-FROM)
3. Detects Content-Security-Policy frame-ancestors directive (if present)
4. Outputs per-URL results plus SUMMARY and REPORT

Input

• Start URLs (startUrls): Request List Sources format
• Request strategy (requestStrategy): HEAD-only, GET-only, or HEAD→GET fallback
• Expected directive (expectedDirective): ANY, DENY, or SAMEORIGIN
• Warn on missing (warnOnMissing): warn if X-Frame-Options is missing

Plus: maxUrls, timeoutSecs, followRedirects, maxRedirects, maxConcurrency, and proxyConfiguration.

Output

Dataset (per-URL results)

Each item includes:

• startUrl, finalUrl, statusCode, redirected, checkedAt, usedMethod, timingMs
• xFrameOptionsRaw, directive, allowFrom
• cspFrameAncestors (string or null)
• score (0–100 heuristic), issues, warningCount, errorCount, ok

Key-value store

• SUMMARY: aggregate counts and top issue codes
• REPORT: same as summary (structured JSON)

Example input

{
  "startUrls": [{"url":"https://example.com"}],
  "maxUrls": 1,
  "timeoutSecs": 20,
  "requestStrategy": "HEAD_THEN_GET",
  "expectedDirective": "ANY",
  "warnOnMissing": true,
  "maxConcurrency": 2,
  "proxyConfiguration": {"useApifyProxy": false}
}

Quick start

Store page: https://apify.com/scrappy_garden/x-frame-options-header-checker

Paste this into Input and click Run:

{
  "startUrls": [
    {
      "url": "https://example.com/"
    }
  ],
  "proxyConfiguration": {
    "useApifyProxy": false
  }
}

Outputs (what you get)

• Dataset: Dataset items typically include fields like: startUrl, finalUrl, statusCode, xFrameOptionsRaw, directive, allowFrom, cspFrameAncestors, score, ok, warningCount.
• Key-value store: REPORT, SUMMARY

Tips (trust + predictable results)

• Start with 1–3 URLs to validate behavior, then scale up.
• If a target blocks requests, enable Proxy and/or slow down concurrency in Input.
• Use the SUMMARY / REPORT keys (when present) for automation pipelines and monitoring.

Related actors

• security-headers-checker (https://apify.com/scrappy_garden/security-headers-checker)
• hsts-header-checker (https://apify.com/scrappy_garden/hsts-header-checker)
• cache-control-checker (https://apify.com/scrappy_garden/cache-control-checker)
• content-type-header-validator (https://apify.com/scrappy_garden/content-type-header-validator)

Search keywords

x frame options header checker, x-frame-options header checker - prevent clickjacking, website audit, seo, http headers