| 1 | # X-Frame-Options middleware
|
| 2 |
|
| 3 | The `X-Frame-Options` HTTP header restricts who can put your site in a frame which can help mitigate things like [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). The header has two modes: `DENY` and `SAMEORIGIN`.
|
| 4 |
|
| 5 | This header is superseded by [the `frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) but is still useful on old browsers.
|
| 6 |
|
| 7 | If your app does not need to be framed (and most don't) you can use `DENY`. If your site can be in frames from the same origin, you can set it to `SAMEORIGIN`.
|
| 8 |
|
| 9 | Usage:
|
| 10 |
|
| 11 | ```javascript
|
| 12 | const frameguard = require("frameguard");
|
| 13 |
|
| 14 | // Don't allow me to be in ANY frames:
|
| 15 | app.use(frameguard({ action: "deny" }));
|
| 16 |
|
| 17 | // Only let me be framed by people of the same origin:
|
| 18 | app.use(frameguard({ action: "sameorigin" }));
|
| 19 | app.use(frameguard()); // defaults to sameorigin
|
| 20 | ```
|
| 21 |
|
| 22 | A legacy action, `ALLOW-FROM`, is not supported by this middleware. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
|