The X-Frame-Options response header

原帖地址：https://developer.mozilla.org/en-US/docs/Web/HTTP/X-Frame-Options?redirectlocale=en-US&redirectslug=The_X-FRAME-OPTIONS_response_header

The X-Frame-Options HTTP responseheader can be used to indicate whether or not a browser should be allowed torender a page in a <frame>, <iframe>or <object> .

Sites can use this to avoid clickjacking attacks,by ensuring that their content is not embedded into other sites.

Thereare three possible values for X-Frame-Options:

·        DENY

The page cannot be displayedin a frame, regardless of the site attempting to do so.

·        SAMEORIGIN

The page can only be displayedin a frame on the same origin as the page itself.

·        ALLOW-FROM uri

The page can only be displayedin a frame on the specified origin.

In other words, if youspecify DENY, not only will attempts to load the page in a frame fail whenloaded from other sites, attempts to do so will fail when loaded from the samesite.

On the other hand, if you specify SAMEORIGIN,you can still use the page in a frame as long as the site including it in aframe is the same as the one serving the page.

Here we can make it work fromIIS administration, please see the steps below.

1.      Open Internet Information Services (IIS) Manager.

2.      In the Connections pane on the left side, expand the Sites folder andselect the syngentaloyalty website.

3.      Double-click the HTTP Response Headers icon in the feature list in themiddle.

4.      In the Actions pane on the right side, click Add.

5.      In the dialog box that appears, type X-Frame-Options in the Name fieldand type SAMEORIGIN in the Value field.

6.      Click OK to save your changes.

Also you can open web.config to configure IIS to send the X-Frame-Options header, add this your site's Web.config file: