1 | # X-Frame-Options middleware
|
2 |
|
3 | The `X-Frame-Options` HTTP header restricts who can put your site in a frame which can help mitigate things like [clickjacking attacks](https://en.wikipedia.org/wiki/Clickjacking). The header has two modes: `DENY` and `SAMEORIGIN`.
|
4 |
|
5 | This header is superseded by [the `frame-ancestors` Content Security Policy directive](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors) but is still useful on old browsers.
|
6 |
|
7 | If your app does not need to be framed (and most don't) you can use `DENY`. If your site can be in frames from the same origin, you can set it to `SAMEORIGIN`.
|
8 |
|
9 | Usage:
|
10 |
|
11 | ```javascript
|
12 | const frameguard = require("frameguard");
|
13 |
|
14 | // Don't allow me to be in ANY frames:
|
15 | app.use(frameguard({ action: "deny" }));
|
16 |
|
17 | // Only let me be framed by people of the same origin:
|
18 | app.use(frameguard({ action: "sameorigin" }));
|
19 | app.use(frameguard()); // defaults to sameorigin
|
20 | ```
|
21 |
|
22 | A legacy action, `ALLOW-FROM`, is not supported by this middleware. [Read more here.](https://github.com/helmetjs/helmet/wiki/How-to-use-X%E2%80%93Frame%E2%80%93Options's-%60ALLOW%E2%80%93FROM%60-directive)
|