X-Frame Options

The X-Frame Options feature adds the X-Frame-Options HTTP response header to prevent unauthorized framing of your website. This header is commonly used to mitigate clickjacking attacks by restricting how and where your content can be embedded inside an <iframe>.

When enabled, the CDN includes the header in responses according to the configuration you provide.

How X-Frame Options Works

You can configure X-CDN Header in the Medianova Control Panel or via API

When the feature is active:

• The CDN adds an X-Frame-Options header to viewer responses.

• If no domain is configured, the CDN sets:

  Copy

  X-Frame-Options: SAMEORIGIN

  which allows framing only from the same domain.

• If one or more domains are provided, the CDN applies:

  Copy

  X-Frame-Options: ALLOW-FROM <domain>

  for each allowed domain, enabling selective embedding.

• The browser enforces the framing policy and blocks disallowed attempts.

Use Cases

Prevent clickjacking

Block external sites from embedding your pages to protect users from UI redress attacks.

Allow trusted partners

Permit framing only from specific domains that require embedded content (e.g., partner dashboards, internal tools).

Enforce controlled embedding behavior

Define clear, browser-enforced restrictions on how your content is presented in external applications.

Notes

• ALLOW-FROM is not supported by all browsers. Modern security policies often prefer CSP frame-ancestors.

• X-Frame-Options does not affect API endpoints or non-HTML content.

• If multiple allowed domains are configured, behavior may vary by browser due to varying support levels.

• This header has no effect on origin requests; it is applied only to viewer-facing responses.