X-Frame options
  • 02 Mar 2023
  • 3 Minutes to read
  • Contributors
  • Dark
  • PDF

X-Frame options

  • Dark
  • PDF

What is X-Frame options?

The X-Frame options allows you to control whether your Knowledge base can be embedded in <frame>, <iframe>, <embed>, or <object> tag on other domains. This feature provides an additional layer of security by preventing malicious websites from embedding your Knowledge base in the above tags.

Ensure that you are not using iframe-based embedding, as it will not work when the project's X-Frame options setting is enabled.

How to access the X-Frame options?


  1. Go to SettingsUsers & SecuritySecurity
  2. The X-Frame options section appears
  3. To restrict the embedded iframe in other domains, turn on the Enable X-Frame options toggle

For example, your Knowledge base domain is help.example.com; and you wish to restrict the embedded iframe in support.test.com and other domains except example.com

The toggle is disabled for existing projects and enabled by default for new projects created after January 28, 2023.



1. What are the embedded tags that I can restrict with the X-Frame options?

The X-Frame options is used to control whether your knowledge base can be embedded in <frame>, <iframe>, <embed>, or <object> tags on external domains.

2. Why is X-Frame important?

The X-Frame options is crucial because it helps to prevent clickjacking attacks. When an attacker uses an iframe to embed your knowledge base within a malicious website to trick users into performing actions, they did not intend to. By enabling the X-Frame options in Document360, your knowledge base can prevent itself from embedding in an iframe on an external domain.

3. How do I set the X-Frame options for my Knowledge base?

  1. Go to SettingsUsers & SecuritySecurity
  2. Enable the toggle under the X-Frame sections

4. Can I test if my website has the X-Frame options set correctly?

Yes, you can use online tools such as the "Network" tab in your browser's developer tools or third-party websites like https://securityheaders.com/ to check if your website has the X-Frame options set correctly.

5. Can I specify which domains can embed my Knowledge base in an iframe?

Yes, you can specify the allowed domains in the Frame source of content security policy setting. For more information, see the content security policy article.

6. What are the potential risks of not using the X-Frame?

If the X-Frame options are not enabled for your Knowledge base, it can be embedded in an iframe on another website without your knowledge. This can lead to clickjacking attacks, where attackers may trick users into performing actions they did not intend to. It can also lead to security vulnerabilities in your Knowledge base.

7. Is it possible to disable X-Frame options?

It is not recommended to disable the X-Frame options for your knowledge base, as it poses a security risk.

If you want to allow all domains to embed your knowledge base in an iframe, you can disable the X-Frame options toggle (SettingsUsers & SecuritySecurityX-Frame sections).

8. What is clickjacking?

Clickjacking, also known as UI redressing or UI masking, is a malicious technique used by attackers to trick users into clicking on a button or link hidden or obscured in a web page or application.

For example, say an attacker creates a transparent layer over a legitimate website or application that contains hidden buttons or links. The user believes they are clicking on a legitimate button or link on the actual website, but in reality, they are clicking on the hidden button or the link on the attacker's layer. This action can result in the user unknowingly performing activities such as downloading malware, making unauthorized purchases, or sharing sensitive information.

9. What is a malicious website?

A malicious website is a website that has been created with the intention of causing harm to visitors or their devices. These websites are designed to trick visitors into downloading malware, stealing personal information, or engaging in fraudulent activity.

10. What is an iframe?

An iframe, also known as an inline frame, is an HTML element that allows web developers to embed another HTML document within the current document. The content within an iframe is a separate web page that can be displayed within a specific section of another web page.

Was this article helpful?