X-Frame-Options
Enabled Smaller but still important security response headers.
The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>
, <iframe>
, <embed>
or <object>
. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.
Usage
This header is enabled by default but you can change its behavior like following.
export default defineNuxtConfig({
// Global
security: {
headers: {
xFrameOptions: <OPTIONS>,
},
},
// Per route
routeRules: {
'/custom-route': {
security: {
headers: {
xFrameOptions: <OPTIONS>,
},
},
}
}
})
You can also disable this header by xFrameOptions: false
.
Default value
By default, Nuxt Security will set following value for this header.
X-Frame-Options: SAMEORIGIN
Available values
The xFrameOptions
header can be configured with following values.
xFrameOptions: 'DENY' | 'SAMEORIGIN' | false;
DENY
The page cannot be displayed in a frame, regardless of the site attempting to do so.
SAMEORIGIN
The page can only be displayed if all ancestor frames are same origin to the page itself.