X-Frame-Options

Enabled Smaller but still important security response headers.


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

ℹ Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      xFrameOptions: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          xFrameOptions: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by xFrameOptions: false.

Default value

By default, Nuxt Security will set following value for this header.

X-Frame-Options: SAMEORIGIN

Available values

The xFrameOptions header can be configured with following values.

xFrameOptions: 'DENY' | 'SAMEORIGIN' | false;

DENY

The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN

The page can only be displayed if all ancestor frames are same origin to the page itself.