in netlify.toml file I typed the following:
[headers.values]
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”
this file in the publish folder and the whole file has been deployed to the netlify.
but my website still could be iframe.
my question how do I block my website from being iframe?
thanks
hey there, @beladey
Thanks so much for reaching out and welcome to the Netlify Forums. First, have you looked through this resource? It is a compilation of all of our build and deploy resources. This is a good starting point.
If those resources don’t get you on the right track, can you share a bit more information about what you are trying to accomplish?
Lastly, please share these additional details so we can look into your experience further:
- the name of your build instance: “example-jones.netlify.com”
- your project repo
- a full copy of your latest deploy log
- what you have already tried
- any error messages you have received in your terminal window or in the developer console
Thanks so much!
Hey @beladey
Check out Content-Security-Policy - HTTP | MDN specificially the frame-ancestors
directive.
Here’s a demonstration.
The site fastidious-sawine-ced386.netlify.app
has no CSP, thus embedding it in an <iframe>
on lucent-rugelach-2acdaa.netlify.app/no-csp-iframe
is possible.
The site grand-boba-b7398f.netlify.app
does have CSP, thus embedding it in an <iframe>
on lucent-rugelach-2acdaa.netlify.app/csp-iframe
is not possible.
thanks,
I just followed the instructions on this link:
I do not understand what is the wrong with this implementation:
in my netlify.toml file I typed the following:
[headers.values]
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”
what do I do in order to this trick works?
sorry the documentation has so huge information I could not get the point,
any specific help to achieve what you already did?
1 Like
Can you share the site name please.
Thanks.
I don’t see the X-Frame-Options
header present. Did you define the path for the headers?
[[headers]]
# Define which paths this specific [[headers]] block will cover.
for = "/*"
[headers.values]
X-Frame-Options = "DENY"
X-XSS-Protection = "1; mode=block"
You need the [[headers]]
section that defines the paths the rule will apply to.
do I type website address?
I want to implement that to all pages?
No. You add exactly what I have shown above (which is from the documentation.) See this example also (copy and paste it.)
I pasted this:
[[headers]]
for = "/*"
[headers.values]
X-Frame-Options = "DENY"
X-XSS-Protection = "1; mode=block"
still not works, sorry I did not understand the meaning of header
X-Frame-Options
and X-XSS-Protection
are both Headers.
This is in a netlify.toml
file? Where is this file located? This file must reside in the root of your project.
If you are deploying from a git repository, can you share this repository?
the netlify.toml
file was in .netlify folder which has .gitignore which has .netlify so the whole folder was ignored,
I just moved the netlify.toml
file from netlify folder to the publish folder and now it is works, thank you for your patience, I appreciate your help
1 Like
Hey there, @beladey
Thanks for coming back and confirming! Glad everything is working now. And thanks @coelmay for some great debugging steps.