I have set the X-Frame-Options header in Apache to DENY. The response header is correctly sent to the browser (see image). I just created a simple HTML file that loads an iframe which is loaded without any issue. I also checked Chrome devtools and the response header returns "x-frame-options: DENY". I was assuming that the header would block all iframes from being loaded?
Not really. X-Frame-Options: DENY prevent YOUR page from being loaded inside an iframe.
X-Frame-Options: SAMEORIGIN - will block only loading from other domains.
It does nothing with iframes on the current page.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a , ,
Source: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
