Block my website from being iframe

beladey · March 23, 2022, 11:56am

in netlify.toml file I typed the following:
[headers.values]
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”

this file in the publish folder and the whole file has been deployed to the netlify.
but my website still could be iframe.
my question how do I block my website from being iframe?
thanks

hillary · March 23, 2022, 7:51pm

hey there, @beladey

Thanks so much for reaching out and welcome to the Netlify Forums. First, have you looked through this resource? It is a compilation of all of our build and deploy resources. This is a good starting point.

If those resources don’t get you on the right track, can you share a bit more information about what you are trying to accomplish?

Lastly, please share these additional details so we can look into your experience further:

the name of your build instance: “example-jones.netlify.com”
your project repo
a full copy of your latest deploy log
what you have already tried
any error messages you have received in your terminal window or in the developer console

Thanks so much!

coelmay · March 23, 2022, 9:15pm

Hey @beladey

Check out Content-Security-Policy - HTTP | MDN specificially the frame-ancestors directive.

Here’s a demonstration.
The site fastidious-sawine-ced386.netlify.app has no CSP, thus embedding it in an <iframe> on lucent-rugelach-2acdaa.netlify.app/no-csp-iframe is possible.

The site grand-boba-b7398f.netlify.app does have CSP, thus embedding it in an <iframe> on lucent-rugelach-2acdaa.netlify.app/csp-iframe is not possible.

beladey · March 23, 2022, 11:34pm

thanks,
I just followed the instructions on this link:

I do not understand what is the wrong with this implementation:
in my netlify.toml file I typed the following:
[headers.values]
X-Frame-Options = “DENY”
X-XSS-Protection = “1; mode=block”

what do I do in order to this trick works?

sorry the documentation has so huge information I could not get the point,
any specific help to achieve what you already did?

coelmay · March 23, 2022, 11:40pm

Can you share the site name please.

beladey · March 23, 2022, 11:46pm

coelmay · March 23, 2022, 11:49pm

Thanks.

I don’t see the X-Frame-Options header present. Did you define the path for the headers?

[[headers]]
  # Define which paths this specific [[headers]] block will cover.
  for = "/*"

  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"

You need the [[headers]] section that defines the paths the rule will apply to.

beladey · March 23, 2022, 11:52pm

do I type website address?
I want to implement that to all pages?

coelmay · March 23, 2022, 11:54pm

No. You add exactly what I have shown above (which is from the documentation.) See this example also (copy and paste it.)

beladey · March 24, 2022, 12:00am

I pasted this:

[[headers]]
  for = "/*"
  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"


still not works, sorry I did not understand the meaning of header

coelmay · March 24, 2022, 12:08am

X-Frame-Options and X-XSS-Protection are both Headers.

This is in a netlify.toml file? Where is this file located? This file must reside in the root of your project.

If you are deploying from a git repository, can you share this repository?

beladey · March 24, 2022, 12:24am

the netlify.toml file was in .netlify folder which has .gitignore which has .netlify so the whole folder was ignored,
I just moved the netlify.toml file from netlify folder to the publish folder and now it is works, thank you for your patience, I appreciate your help

hillary · March 25, 2022, 1:28pm

Hey there, @beladey

Thanks for coming back and confirming! Glad everything is working now. And thanks @coelmay for some great debugging steps.