Menu
I'm running a NodeJS App on NGINX Web Server. I'm able to access all the URLs in my app via iframe on other websites.
Here is my NGINX conf:
proxy_hide_header X-Frame-Options;
How do I restrict the iframe to allow only 1 URL instead of all the URLs?
Also, how do I allow only a few domains to access via iframe?
Can it be done via NGINX or should it be handled via NodeJS code?
818
Thankfully, the ability to restrict iframes is supported by IE 10, Firefox, Chrome, and Safari. It's called the sandbox attribute. Just adding the sandbox attribute is enough to severely lock down an iframe.
Except that there is a higher resource demand and other performance issues there is no fixed limitation for those tags on one page.
It can be done via both NGINX conf and nodejs.
For NGINX conf, please use both X-Frame-Options and Content Security Policy (frame-ancestors)
add_header Content-Security-Policy "frame-ancestors domain1 domain2 domain3"; -> it's for modern browsers
add_header X-Frame-Options "ALLOW-FROM domain1 domain2 domain3"; -> it's for older browsers
To get more details: X-Frame-Options Content-Security-Policy
60
It can be done by both nginx or nodejs. If you'd prefer nginx, you should use it within a location block like:
server {
location / {
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header X-Frame-Options "DENY";
}
location /iframing_is_allowed {
add_header Content-Security-Policy "frame-ancestors http: https:";
proxy_hide_header X-Frame-Options;
}
}
Otherwise, if you'd prefer nodejs, you should set these headers from your JS code in the corresponding endpoints.
If you looking for what options you have, please consult to X-Frame-Options and Content-Security-Policy docs, as Thang Duc pointed.
3
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
