Skip to content

How to use X–Frame–Options's `ALLOW–FROM` directive

Evan Hahn edited this page May 27, 2020 · 2 revisions

The X-Frame-Options header has a directive, ALLOW-FROM, which is obsolete. It has limited browser support and is improved by the frame-ancestors Content Security Policy directive. To quote MDN: "don't use it."

If you need to set this directive value for some reason, you can create your own small middleware function. Here's what that might look like:

// NOTE: `ALLOW-FROM` is not supported in most browsers.
app.use((req, res, next) => {
  res.setHeader("X-Frame-Options", "ALLOW-FROM https://example.com");
  next();
});