Friday, May 10, 2024
Homepage · node.js
 Popular · Latest · Hot · Upcoming
6
rated 0 times [  13] [ 7]  / answers: 1 / hits: 41174  / 7 Years ago, sun, october 29, 2017, 12:00:00

I have some static assets that I want to serve inside iframes of several desktop / mobile web clients.



Now, how do I whitelist a specific set of origins to be allowed
setting of X-Frame-Options headers so that the resource can be embedded as iframes
inside different desktop / mobile web clients.
and for all other origins denies the access to this resource.



With a little digging I started off with - 



const app = express();



var allowCrossDomain = function (req, res, next) {

    res.header('Access-Control-Allow-Origin', '*');

    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS');

    res.header('Access-Control-Allow-Headers', 'Content-Type, X-Requested-With, Authorization');

    if (req.method === OPTIONS) res.send(200);

    else next();

}

app.use(allowCrossDomain);


Now here how do I set the X-Frame-Options header with the whitelisted origin values here -


More From » node.js
 Answers
6

You should import helmet and use frameguard to get some origins whitelisted. More on this topic: MDN X-FRAME-OPTIONS Best Practice Security


[#56075] Thursday, October 26, 2017, 7 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.
tayaw
Add To Favorites
Follow
Total Points: 749
Total Questions: 88
Total Answers: 86
Location: Djibouti
Member since Sun, Feb 27, 2022
2 Years ago
tayaw questions
Thu, Mar 3, 22, 00:00, 2 Years ago
Fri, May 7, 21, 00:00, 3 Years ago
Wed, Oct 7, 20, 00:00, 4 Years ago
Sun, Sep 6, 20, 00:00, 4 Years ago
Wed, Jun 17, 20, 00:00, 4 Years ago
View All
;