How to use X–Frame–Options's `ALLOW–FROM` directive

The X-Frame-Options header has a directive, ALLOW-FROM, which is obsolete. It has limited browser support and is improved by the frame-ancestors Content Security Policy directive. To quote MDN: "don't use it."

If you need to set this directive value for some reason, you can create your own small middleware function. Here's what that might look like:

app.use((req, res, next) => {
  res.setHeader("X-Frame-Options", "ALLOW-FROM https://example.com");
  next();
});