Change the HEADER X-Frame-Options to one of my environments

I am trying to display the front-end of my site inside of an IFrame in my CMS (Sanity) and I am getting “Refused to display ‘’ in a frame because it set ‘X-Frame-Options’ to ‘deny’.”

is this something that I can manage via netlify.toml file?

site name: mystifying-stonebraker-9e3541


As per MDN:, the allow value won’t work for modern browsers, except for same origin.

hey @carlos.claro did you figure this out? I am trying to do exactly the same thing.

@carlos.claro i got this working for my preview in sanity

Content-Security-Policy: frame-ancestors 'self',

Hi @isaac-martin had parked this for a bit but your solution looks promising, let me give a go!

Hey @isaac-martin was your change added to the .toml file? Thanks.

Mine was added to the headers field in gatsby-plugin-netlify however it outputs on build to my _headers file. Believe adding to toml does it the same.

can you elaborate how you put it into gatsby via the plugin?

  resolve: "gatsby-plugin-netlify",
  options: {
  headers: {
      "/*": [
        "X-XSS-Protection: 1; mode=block",
        "X-Content-Type-Options: nosniff",
        "Referrer-Policy: same-origin",
        `Content-Security-Policy: frame-ancestors 'self'`,
1 Like

Just put it above for you - let me know if that is enough.