Prevent other sites from showing my site via iframe

WordPress has a built-in function to send the X-Frame-Options header: send_frame_options_header(). It is used by default on the login and admin pages.

If you want to enable it always, just add it for front end views:

add_action( 'template_redirect', 'send_frame_options_header' );

But … it doesn’t send Content-Security-Policy headers. If you want to have a more complete solution and disable any frame, even from the same site, you can use:

function no_frame_headers()
{
    header( "X-Frame-Options: DENY", true );
    header( "Content-Security-Policy: frame-ancestors 'none'", true );
}

And then register that callback:

add_action( 'login_init',        'no_frame_headers', 1000 );
add_action( 'admin_init',        'no_frame_headers', 1000 );
add_action( 'template_redirect', 'no_frame_headers', 1000 );

This has to go into a plugin, of course.

tech