X-Frame-Options header
Check out this article and read more details about the X-Frame-Options header and learn how to configure it for your i4connected installation.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page as <frame>, <iframe>, <embed>, or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
The added security is provided only if the user accessing the document is using a browser that supports X-Frame-Options. For more details on browser compatibility, please also read this article.
The X-Frame-Options header can be configured in the Web.config file under the i4connected API folder by providing the following directives:
The DENY parameter specifies that the page cannot be displayed in a frame, regardless of the site attempting to do so.
The SAMEORIGIN parameter specifies that the page can only be displayed in a frame on the same origin as the page itself.
Note
If the X-Frame-Options header is set to DENY, an attempt to load the page in a frame will fail when loaded from other sites, but will also fail when loaded from the same site.
If the X-Frame-Options header is set to SAMEORIGIN, the page can be loaded in a frame, as long as the site including it in a frame is the same as the one serving the page.
Tip
At the level of i4connected, it is recommendable that the X-Frame-Options header is set to SAMEORIGIN.