We read every piece of feedback, and take your input very seriously.
To see all available qualifiers, see our documentation.
The X-Frame-Options header has a directive, ALLOW-FROM, which is obsolete. It has limited browser support and is improved by the frame-ancestors Content Security Policy directive. To quote MDN: "don't use it."
X-Frame-Options
ALLOW-FROM
frame-ancestors
If you need to set this directive value for some reason, you can create your own small middleware function. Here's what that might look like:
app.use((req, res, next) => { res.setHeader("X-Frame-Options", "ALLOW-FROM https://example.com"); next(); });