Web Security Headers Show Divergent Adoption Trends Over Three Years
Analysis of the web's top 1 million sites reveals significant shifts in the adoption of X-Frame-Options and Content Security Policy (CSP) frame-ancestors headers, with overall usage decreasing in the top 1,000 domains but rising sharply in larger datasets.
A recent analysis of the internet's top 1 million websites has revealed evolving trends in the adoption of crucial security headers designed to prevent overlay phishing attacks. The study, which revisits a similar analysis conducted three years prior, found that while the overall percentage of websites employing either X-Frame-Options or Content Security Policy (CSP) with frame-ancestors directives has decreased in the very top tier of sites, adoption has significantly increased across broader segments of the web.
These headers serve a critical function: they instruct web browsers on whether a page can be embedded within an iframe on another site. This capability is frequently abused by threat actors to perpetrate "overlay phishing" attacks. In such schemes, an attacker crafts a malicious page that loads a legitimate website, such as a bank's login page, within a full-screen iframe. A fake login prompt is then overlaid on top, tricking users into entering their credentials, believing they are interacting with the genuine site.
Implementing X-Frame-Options or CSP's frame-ancestors directive effectively mitigates this threat. When properly configured, browsers will refuse to render the page within an iframe, thereby preventing the overlay attack. The victim would instead see an error message indicating the page cannot be loaded, which should raise suspicion about any subsequent login forms presented.
While both headers aim to prevent framing, they differ in their capabilities. X-Frame-Options is the older standard, offering directives like DENY (no framing allowed), SAMEORIGIN (framing only allowed by pages on the same domain), and ALLOW-FROM (framing allowed by a specific domain, though this directive has limited browser support and is considered obsolete). CSP's frame-ancestors, on the other hand, is more modern and flexible, supporting similar directives ('none' and 'self') but also offering advanced options like wildcard matching for subdomains.
Modern browsers generally prioritize CSP's frame-ancestors directive, often ignoring X-Frame-Options if both are present. However, X-Frame-Options remains relevant for compatibility with older browsers. Many web servers continue to send both headers simultaneously to ensure broad protection without conflict.
The latest analysis, conducted by scanning the top 1 million domains from the Tranco list, shows a decrease in overall header coverage from 27.1% in 2023 to 23.1% in 2026 for the top 1,000 domains. This divergence is attributed to potential shifts in the composition of the top 1,000 list, possibly including more infrastructure or API-focused domains that do not serve traditional web content and thus omit security headers.
Conversely, for the top 100,000 domains, coverage surged from 20.6% to 37.4%, and for the entire top 1 million, it grew from 14.4% to 29.7%. This indicates a growing awareness and implementation of these protective measures across a larger swath of the internet.
Within the specific directives, SAMEORIGIN remains the most common configuration for X-Frame-Options across all sample sizes, reflecting its practical utility for many web applications. While its usage slightly declined in the top 1,000 domains, it saw notable increases in the larger datasets, mirroring the overall trend of increased adoption.