Back
Custom Security Headers Per Page
What is it and why you need it
You can now control how each particular page on your website can be embedded or accessed from external or third-party websites using Custom Security Headers.
This feature introduces page-level configuration, allowing you to decide exactly where your page can be displayed and which domains are permitted to frame it.
This helps you prevent unauthorized embedding of your pages, protect content from clickjacking risks, and allow trusted platforms to embed specific pages.
How it works
When a page is requested, the browser evaluates its response headers before rendering it inside an iframe.
This feature relies on two standard browser security mechanisms:
X-Frame-Options
Indicates whether the page can be embedded and under what condition. It acts as a primary control for iframe permissions.
Content-Security-Policy (frame-ancestors)
Provides a modern and flexible configuration that defines which domains are allowed to embed the page.
Note that by default, every page has the ‘SAMEORIGIN’ X-Frame rule enabled. This prevents anyone from embedding pages on any external site. As an admin, you can change the settings later according to your preference.
Available X-Frame Configuring Options:
1. DENY: Blocks the page from being embedded in any iframe across all domains. This option is recommended for sensitive or private pages where embedding should never occur.
2. SAMEORIGIN: Allows the page to be embedded only within the same domain. Useful when your own website needs to reuse or display the page internally while preventing third-party embedding.
3. ALLOW-FROM: Lets you specify multiple external URLs that are only permitted to embed the page. This option is ideal for partner platforms, integrations, or controlled distribution scenarios.
4. ALLOW-ALL: Removes embedding restrictions and allows the page to be displayed inside iframes on any domain. Suitable for publicly shareable content that needs maximum exposure.
How to get started using it
To configure custom headers for a page, go to Website Builder -> Pages -> Click the three-dot menu on a page and select Edit Page Settings.
Move to the Header Options tab.
Here you can find the X-Frame-Options dropdown where you can choose your preferred frame option.
Configuration behavior and generated headers
Selecting DENY prevents the page from being embedded anywhere. The generated response headers include -
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none';
Selecting SAMEORIGIN allows the page to be embedded only within the same domain used on your EzyCourse platform. The generated response headers include -
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self';
Selecting ALLOW-FROM shows an Allowed URLs input field where you can add one or multiple URLs where the page can be permitted to embed.
The generated response headers include -
X-Frame-Options: ALLOW-FROM
Content-Security-Policy: frame-ancestors ;
The first URL is applied to X-Frame-Options and all provided URLs are applied to CSP frame-ancestors.
[Note: Generated headers update dynamically based on entered URLs.]
ALLOW-ALL mode enables the page to be embedded in any external site. The generated response headers include-
X-Frame-Options: ALLOW-ALL
Content-Security-Policy: frame-ancestors *;
After selecting your preferred option, click the Save button to apply the security header rule to the page immediately.
