Configuring X-Frame-Options¶

This header can be configured in three ways:

Configuration Resulting header
policy=”Disabled” None
policy=”Deny” X-Frame-Options: Deny
policy=”SameOrigin” X-Frame-Options: SameOrigin

NWebsec (ASP.NET 4): In web.config

<x-Frame-Options policy="Disabled"/>

NWebsec.Owin (ASP.NET 4): Register the middleware in the OWIN startup class:

using NWebsec.Owin;
...
public void Configuration(IAppBuilder app)
{
    app.UseXfo(options => options.SameOrigin());
}

NWebsec.Mvc (ASP.NET 4): As an MVC attribute, defaults to policy=”Deny”:

[XFrameOptions]
[XFrameOptions(Policy = XFrameOptionsPolicy.SameOrigin)]

The header is omitted for redirects.