Transitioning to Content-Security-Policy frame-ancestors
Transitioning to Content-Security-Policy frame-ancestors
While X-Frame-Options remains widely supported, the frame-ancestors directive in Content-Security-Policy provides more flexible control:
# X-Frame-Options equivalent
X-Frame-Options: DENY
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'
# More flexible options with CSP
Content-Security-Policy: frame-ancestors 'self' https://trusted-partner.com https://*.example.com
Implementing both for maximum compatibility:
app.use((req, res, next) => {
// Legacy support
res.setHeader('X-Frame-Options', 'SAMEORIGIN');
// Modern browsers
const csp = "frame-ancestors 'self' https://trusted-partner.com";
res.setHeader('Content-Security-Policy', csp);
next();
});