I have 2 projects in node JS. I have included the response to the header of my project is res. header('X-Frame-Options','SAMEORIGIN').
When I generate the source link and include it with the element , this link only working for my domain, I can't include the with other domains.
How can access the with a different domain
Thank you...!
I have 2 projects in node JS. I have included the response to the header of my project is res. header('X-Frame-Options','SAMEORIGIN').
When I generate the source link and include it with the element , this link only working for my domain, I can't include the with other domains.
How can access the with a different domain
Thank you...!
Share Improve this question asked Feb 5, 2021 at 5:46 Thamarai KaniThamarai Kani 111 silver badge6 bronze badges2 Answers
Reset to default 4when it es to security, I suggest using helmet.js. So better install helmet.js then use it as middleware for security issues. For example write code below:
const express = require("express");
const helmet = require("helmet");
app = express();
app.use(helmet({
contentSecurityPolicy: {
directives: {
"frame-ancestors": ["'self'", "https://otherDomain.", "https://www.oneMoreDomain."]
}
}
}));
ContentSecurityPolicy's frame-ancestors is doing the same thing as FRAME-OPTIONS, but you can add whitelist of domains which will have permission using frames.
The main purpose of adding the X-Frame-Options headers is to prevent your page from being rendered within an <iframe> (or within a <frame>, <embed>, <object>). Based on the value of the header, you can prevent it pletely or just allow embedding within the same origin.
So if you need to allow rendering your page from any domain, you can just remove that header from the response.
Please refer this for more details https://developer.mozilla/en-US/docs/Web/HTTP/Headers/X-Frame-Options