Forum Discussion
2 Replies
- samstepCirrocumulus
This is not easy as only the browser knows if a website is rendered in an iframe of a full window.
One way of getting that information is to use CSP (Content Security Policy) in Report-Only mode with the equivalent setting of X-FRAME-OPTIONS header and send reports to a CSP reporting service such as report-uri.com
Beware that if you find out that people are indeed "framing" your website they are just as likely to be hackers/attackers as legit customers - not quite sure how you would distinguish between them.
- youssef1Cumulonimbus
I don't know what kind of application/website you secure but X-Frame-Options allowed you to prevent clickjacking attacks. And also the reputation of your site that can be hosted anywhere through an Iframe.
I think you should do it differently. block it and if someone need that your application have to be hosted trough an Iframe he must clearly justify it... and In F5 you have tha availlability to allow X-Frame-Options for a specific domain:
https://support.f5.com/csp/article/K16642
let me now if you need more details.
regards