We earn commission when you buy through affiliate links.
This does not influence our reviews or recommendations.Learn more.
There are many options to build the policy to enforce how you want to expose your web resources.
As I write,CSP frame-ancestorsworks with all the latest online window versions except IE.
I dont know when Microsoft will allow support on IE.
you’ve got the option to always check the web app compatibility atCan I Use site.
Lets take a look at the following implementation procedure.
Apache HTTP
mod_headersis the pre-requisite to inject any headers in Apache.
Similar to X-Frame-Options DENY.
If you dont want any site (including self) to embed then add the following.
Save the file and restart the Apache HTTP to take effect.
I tried to embed the site and as you might see it was getting blocked.
Similar to X-Frame-Options SAMEORIGIN, you’re free to add the following.
X-Frame-Options didnt have an option to allow from multiple domains.
Thanks to CSP, you’re free to do as below.
The above will allow the content to be embedded from self, geekflare.com, gf.dev, geekflare.dev.
Change these domains with yours.
Headers in Nginx should be added under theserverblock in a corresponding configuration file.
The above example will allow embedding content on yoursite.com and example.come.
After making changes, dont forget to restart the Nginx server to test the policy.
WordPress
It depends on how you are hosting WordPress.
To implement CSP in WordPress, you’re able to use theContent Security Policy Pro plugin.
Conclusion
CSP is one of the powerful,secure headersto prevent web vulnerabilities.
I hope the above instructions guide you on how to implement frame-ancestors in Apache and Nginx.
