Configuring X-Frame-Options¶
This header can be configured in three ways:
Configuration | Resulting header |
---|---|
policy=”Disabled” | None |
policy=”Deny” | X-Frame-Options: Deny |
policy=”SameOrigin” | X-Frame-Options: SameOrigin |
NWebsec (ASP.NET 4): In web.config
<x-Frame-Options policy="Disabled"/>
NWebsec.Owin (ASP.NET 4): Register the middleware in the OWIN startup class:
using NWebsec.Owin;
...
public void Configuration(IAppBuilder app)
{
app.UseXfo(options => options.SameOrigin());
}
NWebsec.Mvc (ASP.NET 4): As an MVC attribute, defaults to policy=”Deny”:
[XFrameOptions]
[XFrameOptions(Policy = XFrameOptionsPolicy.SameOrigin)]
The header is omitted for redirects.