Open in app

Sign in

Write

Sign in

Bypassing x-frame-options

Alexandru Cambose
2 min readFeb 2, 2018

What exactly is X-Frame-Options ?

From the official Mozilla Developer docs:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Available directives for X-Frame-Options

  • DENY: block everything in a frame
  • SAMEORIGIN: block everything except if the web page is from the same origin
  • ALLOW-FROM <uri> : allow frames just from the specified origin

How to bypass it ?

Well… you can’t fully bypass it. One alternative could be to create a remote server that requests a specified website for you and returns it without X-Frame-Options header.

Node.js and Express approach

In this article we will build a server based on the Express framework.

Prerequisites

  • JavaScript promises
  • Basic understanding of Node.js and Express

Dependencies

--

--

Alexandru Cambose

Written by Alexandru Cambose

150 Followers

Full Stack Web Developer interested in Blockchain and AI. Currently available for freelance work. https://github.com/alexcambose https://alexcambose.com/

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams