Headers

X-Frame-Options

Indicate if a browser should render a page as iframe, frame, embed, or object.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.

Read more about this header here.

Usage

This header is enabled by default but you can change its behavior like following.

export default defineNuxtConfig({
  // Global
  security: {
    headers: {
      xFrameOptions: <OPTIONS>,
    },
  },

  // Per route
  routeRules: {
    '/custom-route': {
      security: {
        headers: {
          xFrameOptions: <OPTIONS>,
        },
      },
    }
  }
})

You can also disable this header by xFrameOptions: false.

Default value

By default, Nuxt Security will set the following value for this header.

X-Frame-Options: SAMEORIGIN

Available values

The xFrameOptions header can be configured with following values.

xFrameOptions: 'DENY' | 'SAMEORIGIN' | false;

DENY

The page cannot be displayed in a frame, regardless of the site attempting to do so.

SAMEORIGIN

The page can only be displayed if all ancestor frames are same origin to the page itself.

X-Download-Options

Instruct Internet Explorer to not open a downloaded file directly.

X-Permitted-Cross-Domain-Policies

Permit cross-domain requests from Flash and PDF documents.