Sign Up for Free

RunKit +

Try any Node.js package right in your browser

This is a playground to test code. It runs a full Node.js environment and already has all of npm’s 400,000 packages pre-installed, including frameguard with all npm packages installed. Try it out:

var frameguard = require("frameguard")

This service is provided by RunKit and is not affiliated with npm, Inc or the package authors.

frameguard v3.1.0

Middleware to set X-Frame-Options headers

Frameguard

Build Status

The X-Frame-Options HTTP header restricts who can put your site in a frame which can help mitigate things like clickjacking attacks. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM, defaulting to SAMEORIGIN. If your app does not need to be framed (and most don't) you can use DENY. If your site can be in frames from the same origin, you can set it to SAMEORIGIN. If you want to allow it from a specific URL, you can allow that with ALLOW-FROM and a URL.

Usage:

const frameguard = require('frameguard')

// Don't allow me to be in ANY frames:
app.use(frameguard({ action: 'deny' }))

// Only let me be framed by people of the same origin:
app.use(frameguard({ action: 'sameorigin' }))
app.use(frameguard())  // defaults to sameorigin

// Allow from a specific host:
app.use(frameguard({
  action: 'allow-from',
  domain: 'https://example.com'
}))

This has pretty good (but not 100%) browser support: IE8+, Opera 10.50+, Safari 4+, Chrome 4.1+, and Firefox 3.6.9+. The ALLOW-FROM header option is not supported in Chrome or Safari. Those browsers will ignore the entire header, and the frame will be displayed, so you probably want to avoid using that option.

RunKit is a free, in-browser JavaScript dev environment for prototyping Node.js code, with every npm package installed. Sign up to share your code.
Sign Up for Free