Removing X-Frame-Options in ASP.NET MVC Core 7

I had an ASP.NET Core 7 App that used forms.

And I actually WANTED it to be used within an iFrame.

As soon as you add a form to a Web App, the server immediately starts returning X-Frame-Options: SameOrigin in all requests.

I tried a variety of means to remove this, including:

app.UseStaticFiles();

            app.Use(async (context, next) =>

            {

                context.Response.Headers.Remove("X-Frame-Options");

                context.Response.Headers.Add("Bob", "Hello");

                await next.Invoke();

            });

            app.UseRouting();

The Bob header was being added, but X-Frame-Options stubbonly remained.

In the end I found the solution was to use:

// Remove X-Frame-Options, allowing Framing

            builder.Services.AddAntiforgery(options =>

            {

                options.SuppressXFrameOptionsHeader = true;

            });

The ASP.NET Core security headers guide (elmah.io)

Enable Cross-Origin Requests (CORS) in ASP.NET Core | Microsoft Learn

ASP.NET Core Middleware | Microsoft Learn

Transferring domains to Google

I decided to leave 123-reg after they chose to upgrade their email services and removed catch-all email forwarding. I found a slight issue when transferring Nominet (.uk) domains to Google. The transfer process requires Google to send a handshake email to the registrant's email address, requesting them to approve the transfer. However, if you don't have a gmail address registered, you don't seem to get an email. So it is important to set the registrant's contact email to a Gmail address first, before setting the IPS tag.