Which statement best describes the Ex-Frame-Options header?

• A. Used to specify cross-origin resource sharing policies.
• B. Used to prevent clickjacking by declaring a policy that communications are only allowed from a host to the client browser.
• C. Used to enforce HTTPS only connections.
• D. Used to set content security policy directives.

Answer: (B)

X-Frame-Options is an HTTP response header that controls whether a page can be displayed within a frame, iframe, or object. By dictating framing permissions, it helps prevent clickjacking, a technique where a malicious site embeds another site in a frame to trick a user into interacting with it unknowingly. The header conveys a policy like allowing framing only from the same origin or denying framing altogether, which means the page can only be framed by the host’s own site. Because of that, the description that it prevents clickjacking by declaring a policy that framing is restricted to the host/browser context best captures its purpose. It isn’t about cross-origin resource sharing, enforcing HTTPS-only connections, or setting a broader content security policy (though CSP can also influence framing with its own directives).