Configuring X-Frame-Options¶
This header can be configured in three ways:
| Configuration | Resulting header |
|---|---|
| policy=”Disabled” | None |
| policy=”Deny” | X-Frame-Options: Deny |
| policy=”SameOrigin” | X-Frame-Options: SameOrigin |
Register the middleware in the startup class:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory)
{
...
app.UseStaticFiles();
app.UseXfo(options => options.SameOrigin());
app.UseMvc(...);
}
As an MVC attribute, defaults to policy=”Deny”:
[XFrameOptions]
[XFrameOptions(Policy = XFrameOptionsPolicy.SameOrigin)]
The header is omitted for redirects.