X-Frame-Options

Enabled Smaller but still important security response headers.


The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

ℹ Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({  // Global  security: {    headers: {      xFrameOptions: <OPTIONS>,    },  },  // Per route  routeRules: {    '/custom-route': {      headers: {        'X-Frame-Options': <OPTIONS>      },    }  }})

You can also disable this header by xFrameOptions: false.

Default value

By default, Nuxt Security will set following value for this header.

X-Frame-Options: SAMEORIGIN

Available values

The xFrameOptions header can be configured with following values.

xFrameOptions: 'DENY' | 'SAMEORIGIN' | false;

DENY

The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN

The page can only be displayed if all ancestor frames are same origin to the page itself.