Use Content Security Policy to deny IFraming
If you have a site, others can put it into an IFrame. This opens some attacks, like clickjacking where a mailicious site intercepts clicks intended for you site.
To prevent this, you can send a header that tells the browser not to allow your page to be loaded inside an IFrame. This used to be the X-Frame-Options
header, but it is now superseded by the Content-Security-Policy
.
To use it, send a CSP header with the frame-ancestors
directive. To deny all IFraming, use 'none'
, like this:
Content-Security-Policy: frame-ancestors 'none';
Instead of 'none'
, you can also specify a whitelist of domains that are allowed to IFrame your site. This gives you fine control.
And it also comes with all the goodness of CSP, like the reporting ability and a report-only version.
The only limiting factor is that it needs to be set using a header and not in a meta tag.