Securing Your Site from Being iFramed

Thu Apr 5, 2018

The HTML <iframe> tag essentially allows you to nest a full web page inside another web page, which can be useful as one method of reusing content in multiple places on your site, or for embedding media content from third-party sources (Embedding YouTube videos on your site is a common example).

This can be a useful tool for website developers but it can lead to worries of other websites using your content without authorization. If you are worried about other sites iFraming your content into their web pages then fear not, because you can actually control who has the ability to display your site's content with iFrames.

The configuration needs to be on the web server that hosts your actual website pages, so if you do not host your site on premises in favor of a cloud hosting provider then reach out to your hosting provider's technical support team or documentation about the ability to configure the web server's X-Frame options header

This header can be set to one of a few options:

  • DENY: Block all sites who request to iFrame your pages, 
  • SAMEORIGIN: Allow iFraming only for requests from the same domain origin (This will allow you to iFrame your own content, but block other sites from doing so.)
  • ALLOW-FROM With this option, you can specify a whitelist of domains that are allowed to iFrame content from your site.  (Useful if you are reusing your own content across more than one of your own domains or in partnership with other sites.)

The Mozilla's Developer Network has a great article documenting the X-Frame options header. It also contains some examples on how to configure this on three of the most common web servers: Apache, NginX, and IIS:

Piotr Butkiewicz
Piotr Butkiewicz
Web Consultant | Percussion Software