You may want to allow your site to be embedded in an iframe on a different case (for example, to create a template page with your sites). Allowing a site to be loaded inside of an iframe in another site may allow malicious actors to use your site and brand to trick visitors into clicking the wrong link or submitting data to outside sources. Only enable this option if you want the site to be loaded in an iframe.
To enable the ability to load the site in an iframe:
- In the left panel, click Settings, and then click Site SSL.
- Click the Allow site to be loaded in an iframe toggle.
The following security settings have been implemented to inform browsers that the site should not load inside of an iframe:
- x-frame-options: SAMEORIGIN
- content-security-policy: frame-ancestors 'self'
The x-frame-options setting is the original version, while content-security-policy is a newer setting that is not fully supported by all browsers, yet. These tell browsers that the site should not be loaded within an iframe.
These settings are implemented by default to implement the best security practices out of the box. Allowing sites not to load within an iframe by default is a small step to prevent sites from being used for ClickJacking. ClickJacking is where a malicious user loads the site inside of some frame, while using the design of the site to try and get users to pass personal information that can be intercepted or collected.