Skip to main content

i4connected Knowledgebase 5.6

X-Frame-Options header


Check out this article and read more details about the X-Frame-Options header and learn how to configure it for your i4connected installation.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page as <frame>, <iframe>, <embed>, or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options. For more details on browser compatibility, please also read this article.

The X-Frame-Options header can be configured in the Web.config file under the i4connected API folder by providing the following directives:


The X-Frame-Options header

  • The DENY parameter specifies that the page cannot be displayed in a frame, regardless of the site attempting to do so.

  • The SAMEORIGIN parameter specifies that the page can only be displayed in a frame on the same origin as the page itself.


If the X-Frame-Options header is set to DENY, an attempt to load the page in a frame will fail when loaded from other sites, but will also fail when loaded from the same site.

If the X-Frame-Options header is set to SAMEORIGIN, the page can be loaded in a frame, as long as the site including it in a frame is the same as the one serving the page.


At the level of i4connected, it is recommendable that the X-Frame-Options header is set to SAMEORIGIN.