Can I allow iFrame embeds from specific external domains?

Keywords: WordPress + NGINX + SSL - Google Cloud Platform - Technical issue - Other
bnsupport ID: b6dcce30-b6d4-db81-d244-3c45dbf78568
Description:
Looks like by default on the WordPress + NGINX + SSL deployment it has the X-Frame-Options header set to “SAMEORIGIN”, I assume to prevent clickjacking attacks.

I’m trying to allow iFrame embeds from a specific domain and it looks like he way to do that is with Content Security Policy (CSP) frame-ancestors (as described in this article: https://nginx.tutorials24x7.com/blog/how-to-secure-nginx-from-clickjack-attack-using-csp-frame-ancestors).

Am I correct in thinking I can add a line like add_header Content-Security-Policy "frame-ancestors 'self' example1.com example2.com;"; to /opt/bitnami/nginx/conf/nginx.conf, restart NGINX and have this work?

Or does this need to go somewhere else?

I’m new to this stack and just trying to make sure I’m headed in the right direction to accomplish this. Any help/advice would be greatly appreciated!

Hi @JesseT,

That change should work. That’ll be the default header configuration and the WordPress app will also use it.

Let us know if that solves the problem :slight_smile:

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.