Block my website from being iframe

in netlify.toml file I typed the following:
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”

this file in the publish folder and the whole file has been deployed to the netlify.
but my website still could be iframe.
my question how do I block my website from being iframe?

hey there, @beladey :wave:

Thanks so much for reaching out and welcome to the Netlify Forums. First, have you looked through this resource? It is a compilation of all of our build and deploy resources. This is a good starting point.

If those resources don’t get you on the right track, can you share a bit more information about what you are trying to accomplish?

Lastly, please share these additional details so we can look into your experience further:

  • the name of your build instance: “
  • your project repo
  • a full copy of your latest deploy log
  • what you have already tried
  • any error messages you have received in your terminal window or in the developer console

Thanks so much!

Hey @beladey

Check out Content-Security-Policy - HTTP | MDN specificially the frame-ancestors directive.

Here’s a demonstration.
The site has no CSP, thus embedding it in an <iframe> on is possible.

The site does have CSP, thus embedding it in an <iframe> on is not possible.

I just followed the instructions on this link:

I do not understand what is the wrong with this implementation:
in my netlify.toml file I typed the following:
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”

what do I do in order to this trick works?

sorry the documentation has so huge information I could not get the point,
any specific help to achieve what you already did?

1 Like

Can you share the site name please.


I don’t see the X-Frame-Options header present. Did you define the path for the headers?

  # Define which paths this specific [[headers]] block will cover.
  for = "/*"

    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"

You need the [[headers]] section that defines the paths the rule will apply to.

do I type website address?
I want to implement that to all pages?

No. You add exactly what I have shown above (which is from the documentation.) See this example also (copy and paste it.)

I pasted this:

  for = "/*"
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"

still not works, sorry I did not understand the meaning of header

X-Frame-Options and X-XSS-Protection are both Headers.

This is in a netlify.toml file? Where is this file located? This file must reside in the root of your project.

If you are deploying from a git repository, can you share this repository?

the netlify.toml file was in .netlify folder which has .gitignore which has .netlify so the whole folder was ignored,
I just moved the netlify.toml file from netlify folder to the publish folder and now it is works, thank you for your patience, I appreciate your help

1 Like

Hey there, @beladey :wave:

Thanks for coming back and confirming! Glad everything is working now. And thanks @coelmay for some great debugging steps. :netliconfetti: