Kentico 13 x-frame-options

Matthew Butler asked on May 15, 2024 10:37

What is the recommended approach for applying x-frame-options in kentico 13.

I added the header manually, but as suggested it prevents it showing in the admin site.

Correct Answer

Brenden Kehren answered on May 15, 2024 16:19

We use the following in the Startup.cs Configure() method. It works with an Azure Web App too assuming you're not using the *.azurewebsites.net domain. 

app.Use(async (context, next) =>
{
    context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors 'self' https://localhost:5000 https://*.yourdomain.com");
    context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN");
    await next();
});
0 votesVote for this answer Unmark Correct answer

Recent Answers

Matthew Stone answered on November 18, 2024 20:39

I tried this method:

app.Use(async (context, next) => { context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors 'self' https://localhost:5000 https://*.yourdomain.com"); context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN"); await next(); });

by adding it to my startup file as suggested. I was expecting to see these security headers rendered in my header of my site but they aren't. I was assuming it would be rendered something like this: <meta http-equiv="Content-Security-Policy" content="script-src 'self'; style-src 'self'; image-src 'self;">

does the suggested code not do that or does this code just allow the site to still be rendered correctly in preview mode within the kentico CMS?

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.