frameguard
v4.0.0
Published
Middleware to set X-Frame-Options headers
Downloads
679,993
Maintainers
Readme
X-Frame-Options middleware
The X-Frame-Options
HTTP header restricts who can put your site in a frame which can help mitigate things like clickjacking attacks. The header has two modes: DENY
and SAMEORIGIN
.
This header is superseded by the frame-ancestors
Content Security Policy directive but is still useful on old browsers.
If your app does not need to be framed (and most don't) you can use DENY
. If your site can be in frames from the same origin, you can set it to SAMEORIGIN
.
Usage:
const frameguard = require("frameguard");
// Don't allow me to be in ANY frames:
app.use(frameguard({ action: "deny" }));
// Only let me be framed by people of the same origin:
app.use(frameguard({ action: "sameorigin" }));
app.use(frameguard()); // defaults to sameorigin
A legacy action, ALLOW-FROM
, is not supported by this middleware. Read more here.