Streaming live at 10am (PST)

What headers exactly does 'Use Secure Frame Headers' turn on/off?

I’ve scoured Forum, University, Blog and Google and haven’t found out what exactly is turned on and off with that “Use Secure Frame Headers” toggle.

It essentially restricts where your site can be embedded. Enabling it will prevent your pages from being embedded elsewhere using an iframe.

1 Like

Thanks @Drew_Schafer but that I know since that info was available in the tooltip,
I’m actually wanting to know (from Webflow, but posted here or on University so we can all benefit from knowing) exactly what headers it turns off.

For example, some headers could include:

  • Content-Security-Policy
  • X-Frame-Options
  • Strict-Transport-Security
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy

@Megan_Wallace @samliew Anyone know? Or, anyone know anyone who will know the answer to this? Thank you!

Hi @jonreese , this toggle is available at certain Enterprise Lite tiers and Enterprise (you can toggle it on/off but it won’t work if we haven’t switched it on through the backend), and covers these headers:

  • x-xss-protection
  • x-content-type-options
  • x-frame-options
  • referrer-policy
  • x-permitted-cross-domain-policies
  • timing-allow-origin
  • feature-policy
  • expect-ct
  • content-security-policy

Let me know if you have further questions.

Thank you,

Thanks @Megan_Wallace, but that toggle is on every site plan, not just Enterprise; so toggling it on toggles on all those headers, on every site plan? (If that’s correct, please edit your message to remove the part about Enterprise and let me know, so I can mark it as the Solution. Thanks Megan!)

Updated my response above. The toggle only actually enables HSTS if we’ve enabled it in the backend, and that’s only available to certain Enterprise Lite tiers & Enterprise.

@jonreese since the ‘Use Secure Frame Headers’ toggle controls if the website will load inside an iFrame it will at least set the following response headers:

  1. ‘x-frame-options’
  2. ‘content-security-policy’

When the toggle is set to on those header values will typically be “SAMEORIGIN” and “frame-ancestors ‘self’”

HSTS (strict-transport-security) is really a client (browser) policy for secure (TLS) connections. Which seems to be an additional option for Enterprise plans based on @Megan_Wallace reply.