CSP Policy Builder

Build Content-Security-Policy headers to control iframe embedding. Configure frame-ancestors directive to specify which domains can embed your website.

Frame-Ancestors Policy

Embedding Policy

Block All Embedding

Prevent any website from embedding your pages in iframes (most secure)

Same Origin Only

Allow embedding only on your own domain

Specific Domains

Allow specific trusted domains to embed your pages

Allow All (Not Recommended)

Allow any website to embed your pages (security risk)

Generated Headers

Content-Security-Policy (Modern)

Content-Security-Policy: frame-ancestors 'none';

X-Frame-Options (Legacy Support)

X-Frame-Options: DENY

Implementation Examples

Nginx

# In your nginx.conf or site config
location / {
    add_header Content-Security-Policy: frame-ancestors 'none' always;
    add_header X-Frame-Options: DENY always;
}

Apache (.htaccess)

# In your .htaccess or apache config
<IfModule mod_headers.c>
    Header always set frame-ancestors 'none'
    Header always set X-Frame-Options: DENY
</IfModule>

Node.js / Express

// Express.js middleware
app.use((req, res, next) => {
  res.setHeader('Content-Security-Policy', 'frame-ancestors 'none'');
  res.setHeader('X-Frame-Options', 'DENY');
  next();
});

Security Considerations

Clickjacking Protection: These headers protect against clickjacking attacks where malicious sites embed your pages to trick users into clicking hidden elements.

Use Both Headers: Implement both CSP frame-ancestors and X-Frame-Options for maximum browser compatibility. Modern browsers prefer CSP, but older browsers need X-Frame-Options.

Test Thoroughly: After implementing, test your pages to ensure legitimate embedding still works where intended. Use our iframe tester to verify.

HTTPS Required: When specifying domains, always use HTTPS URLs for security. Mixed content will be blocked by browsers.