I would like to see the X-Frame-Options header included on all requests where possible. The header is used to indicate whether a browser should be allowed to render a page in a iframe, frame, embed, or object per the docs here. As a best practice for our clients, we should prevent their site from being able to be embedded into an iframe unless they explicitly allow for it.
Out of the box, the site should send a X-Frame-Options: SAMEORIGIN header (see send_frame_options_header()) on all applicable requests. Optionally, we can also send the Content-Security-Policy: frame-ancestors <source> header, too, which is a stronger header to send but requires an allow list of sources.
The header should also have a short-circuit filter to quickly disable it.
Use Case
When a user tries to put a client site into an iframe, they shouldn't be able to because the X-Frame-Options: SAMEORIGIN header is being sent.
Description
I would like to see the
X-Frame-Options
header included on all requests where possible. The header is used to indicate whether a browser should be allowed to render a page in a iframe, frame, embed, or object per the docs here. As a best practice for our clients, we should prevent their site from being able to be embedded into an iframe unless they explicitly allow for it.Out of the box, the site should send a
X-Frame-Options: SAMEORIGIN
header (seesend_frame_options_header()
) on all applicable requests. Optionally, we can also send theContent-Security-Policy: frame-ancestors <source>
header, too, which is a stronger header to send but requires an allow list of sources.The header should also have a short-circuit filter to quickly disable it.
Use Case
When a user tries to put a client site into an iframe, they shouldn't be able to because the
X-Frame-Options: SAMEORIGIN
header is being sent.