I'm using frameguard on an Express server in an attempt to block iframe requests:
// server
const frameguard = require('frameguard');
const server = express();
...
server.use(frameguard({ action: 'deny' }));
If I go to any external site and insert an iframe in the DOM to point to my website, the Response headers include X-Frame-Options: DENY as it should, but the site still loads within the frame.
Tested using the latest version of Chrome, so I figure it's not an unsupported issue.
via Brady
No comments:
Post a Comment