X-FRAME-OPTIONS Response Header

I hadn’t previously realised this but MVC adds an X-FRAME-OPTIONS: SAMEORIGIN header to site page responses as part of a security measure to prevent sites running in iframes. These can be removed in ASP.NET 5 applications by modifying the relevant option in Startup.cs


        public void ConfigureServices(IServiceCollection services)
        {
            // Suppres X-FRAME-OPTIONS header to allow loading in iframe
            services.AddAntiforgery(options =>
            {
                options.SuppressXFrameOptionsHeader = true;
            });

            // Add framework services.
            services.AddMvc();
        }

Leave a Reply

Your email address will not be published. Required fields are marked *