X-FRAME-OPTIONS Response Header

I hadn’t previously realised this but MVC adds an X-FRAME-OPTIONS: SAMEORIGIN header to site page responses as part of a security measure to prevent sites running in iframes. These can be removed in ASP.NET 5 applications by modifying the relevant option in Startup.cs

        public void ConfigureServices(IServiceCollection services)
            // Suppres X-FRAME-OPTIONS header to allow loading in iframe
            services.AddAntiforgery(options =>
                options.SuppressXFrameOptionsHeader = true;

            // Add framework services.

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *