Learn how the X-Frame Options feature controls which sites are allowed to frame your content.
The X-Frame Options feature adds the X-Frame-Options HTTP response header to prevent unauthorized framing of your website. This header is commonly used to mitigate clickjacking attacks by restricting how and where your content can be embedded inside an <iframe>.
When enabled, the CDN includes the header in responses according to the configuration you provide.
You can configure X-CDN Header in the Medianova Control Panel or via API
When the feature is active:
The CDN adds an X-Frame-Options header to viewer responses.
If no domain is configured, the CDN sets:
which allows framing only from the same domain.
If one or more domains are provided, the CDN applies:
for each allowed domain, enabling selective embedding.
Block external sites from embedding your pages to protect users from UI redress attacks.
Permit framing only from specific domains that require embedded content (e.g., partner dashboards, internal tools).
Define clear, browser-enforced restrictions on how your content is presented in external applications.
ALLOW-FROM is not supported by all browsers. Modern security policies often prefer CSP frame-ancestors.
X-Frame-Options does not affect API endpoints or non-HTML content.
If multiple allowed domains are configured, behavior may vary by browser due to varying support levels.
The browser enforces the framing policy and blocks disallowed attempts.
This header has no effect on origin requests; it is applied only to viewer-facing responses.
X-Frame-Options: SAMEORIGINX-Frame-Options: ALLOW-FROM <domain>