How to Prevent People from Displaying Your Content on Their Web Pages Inside of a Frame

This technique shows how to prevent a web site from displaying your content inside of a frame on their web page.

It looks something like this:

The section shaded in green is my content being displaying inside someone else’s web site. This is done by putting my content inside a <frame> or <iframe> tag.

If you are looking on how to deal with people who have copy and pasted your content on their web site, then see this article.

This is easy to prevent, but it requires editing your .htaccess file.

Why is this a problem?

First, someone else is using your hard work this means a potential loss of traffic to your site.

I say “potential loss” of traffic because my experience is that these are usually very small and insignificant sites and they are not really taking away any traffic.

Second, someone can be benefitting from your work if they run ads on their site.

Third, it dilutes your content: you created it, you should keep control over it.

Finally, some sites doing this can be “clickjacking” using your site and content. Essentially, they use your content to drive traffic (or force downloads) by putting up invisible buttons. This type of behaviour can tarnish your web site’s reputation.

Preventing Framing

1) Open your .htaccess file for editing.

Instructions for opening and editing .htaccess from cPanel can be found here.

2) Add one of the following lines:

Header append X-FRAME-OPTIONS "DENY"

or

Header append X-FRAME-OPTIONS "SAMEORIGIN"

How it Works

Each line results in some additional information being sent with your web page. This information tells any compliant browser (and they should all be compliant now) how to deal with content inside a frame.

If it is “DENY”, then the browser will refuse to load the content into the frame.

If it is “SAMEORIGIN”, then the browser will only load content into the frame if the page with the frame and the page loaded into the frame are both on the same web site.

For complete details on this see RFC 7034 (note: this is an external link). It also explains the option “ALLOW-FROM”.

Unless you use frames on your site, it is best to go with the first line.

3) Save the .htaccess file.

Other Options

A commonly promoted option is something called a “Framebuster”. This is a piece of javascript code that tries to force your web page out of the frame. Unfortunately, it can be defeated if (1) the user has javascript turned off, or (2) the web site framing your content runs anti-framebuster code. You can read more here (note: this is an external site).

The other common option is to add code to .htaccess to have the rewrite engine reload the page from the correct URL. I tried this technique first, but it didn’t work for me. The page I got this from is here (note: this is an external site).