Enable Clickjack Protection for Visualforce Pages Even When Headers Are Disabled

Clickjack protection secures your Visualforce pages against user interface redress attacks. You can enable clickjack protection for Visualforce pages that suppress the standard header. The setting is global to your organization and applies to all your Visualforce pages.

To enable clickjack protection for Visualforce pages that suppress the standard header, select Enable clickjack protection for customer Visualforce pages with headers disabled under Setup | Security Controls | Session Settings.

Clickjack protection is implemented by adding a X-Frame-Options: SAMEORIGIN header to Visualforce pages. When headers are suppressed by setting showHeader="false" on a page, this header isn’t added to the page, and clickjack protection is disabled.

Normally, suppressing headers is the desired behavior because it strips out unnecessary resources and provides a clean slate for your Visualforce pages. This new session setting lets you turn only the clickjack protection functionality back on, which adds the required header to your Visualforce pages.

Enabling clickjack protection for Visualforce pages has some side effects. When this header is activated, only pages served from the Visualforce domain can wrap Visualforce pages in an <iframe>, or otherwise embed Visualforce pages.

Some existing Salesforce features embed Visualforce in frames. If you enable clickjack protection for Visualforce pages, these features no longer work. Examples include custom console components in the Salesforce Console, custom dashboards that embed Visualforce pages, and other features you have extended using Visualforce. We recommend that you test clickjack protection in a sandbox or Developer Edition organization to verify the behavior before enabling it in your production organization.

If your organization displays Visualforce pages within a frame or <iframe>, it’s possible that the clickjack-protected pages display either as a blank page or without the frame. The behavior varies depending on your browser and its version. Although there are reasons to frame pages, hackers can abuse framed pages.

You have two options for handling existing framed Visualforce pages.
  • Discontinue displaying these pages within a frame or <iframe>. This solution is recommended.
  • Don’t enable clickjack protection for your Visualforce pages. This option allows you to continue framing Visualforce pages, but the pages are vulnerable to clickjack attacks. This option isn’t recommended.


Along with this new setting, labels for the existing clickjack protection settings are updated for consistency and clarity across all four clickjack settings. The behavior of the existing settings is unchanged.