X-Frame options

An iframe, also known as an inline frame, is an HTML element that allows web developers to embed another HTML document within the current document. The content within an iframe is a separate web page displayed within a specific section of another web page. Due to its ability to embed external content, managing iframe usage with security settings such as X-Frame options is crucial to prevent security risks like clickjacking.

The X-Frame options setting allows you to control whether your knowledge base can be embedded in <frame>, <iframe>, <embed>, or <object> tags on external domains.

The X-Frame options are vital for security as they help prevent clickjacking attacks, where an attacker embeds your knowledge base in a malicious website. This embedding tricks users into performing unintended actions. Enabling X-Frame options ensures your knowledge base cannot be embedded on external domains, safeguarding user interactions.

1. Navigate to Settings () in the left navigation bar in the Knowledge base portal.

2. In the left navigation pane, navigate to Users & security > Security.

3. Locate the toggle labeled Enable X-Frame options and switch it on to prevent your knowledge base from being embedded on unauthorized external domains.

You can test if your X-Frame options are correctly configured by:

1. Using your browser’s developer tools and checking the Network tab to inspect response headers for the X-Frame-Options setting.

2. Using third-party services like securityheaders.com to verify that the correct X-Frame-Options header is applied.

If the X-Frame options are not enabled for your knowledge base, it may be embedded in an iframe on another website without your authorization. This lack of control exposes your site to clickjacking attacks, where attackers overlay invisible or misleading elements over your interface to trick users into performing unintended actions, such as divulging passwords or clicking on malicious links. Such vulnerabilities can compromise user security and potentially lead to data breaches.

Clickjacking, also known as UI redressing or UI masking, is a malicious technique where attackers trick users into clicking on a button or link that is hidden or obscured within a web page or application. This is often achieved by overlaying a transparent layer with deceptive elements over a legitimate website or application. Users may think they are interacting with the actual site, but in reality, they are engaging with elements controlled by the attacker. Such interactions can lead to adverse outcomes, like downloading malware, making unauthorized purchases, or inadvertently sharing sensitive information. Utilizing security settings like X-Frame options can help protect against such attacks by preventing unauthorized embedding of your content.

A malicious website is a site designed to cause harm to visitors or their devices. These sites may trick visitors into downloading malware, stealing personal information, or engaging in fraudulent activities. Using X-Frame options helps prevent your content from being embedded on such sites, enhancing your security measures against these risks.