Use Content Security Policy to deny IFraming

For more tips like this, sign up to the weekly newsletter!

Use Content Security Policy to deny IFraming

If you have a site, others can put it into an IFrame. This opens some attacks, like clickjacking where a mailicious site intercepts clicks intended for you site.

To prevent this, you can send a header that tells the browser not to allow your page to be loaded inside an IFrame. This used to be the X-Frame-Options header, but it is now superseded by the Content-Security-Policy.

To use it, send a CSP header with the frame-ancestors directive. To deny all IFraming, use 'none', like this:

Content-Security-Policy: frame-ancestors 'none';

Instead of 'none', you can also specify a whitelist of domains that are allowed to IFrame your site. This gives you fine control.

And it also comes with all the goodness of CSP, like the reporting ability and a report-only version.

The only limiting factor is that it needs to be set using a header and not in a meta tag.

Try it

https://github.com/sashee/csp_frame_ancestors_sample

Learn more:

Promises and Async/Await in JavaScript book