Thursday 22 June 2023

Removing X-Frame-Options in ASP.NET MVC Core 7

I had an ASP.NET Core 7 App that used forms.

And I actually WANTED it to be used within an iFrame.

As soon as you add a form to a Web App, the server immediately starts returning X-Frame-Options: SameOrigin in all requests.

I tried a variety of means to remove this, including:


            app.Use(async (context, next) =>
                context.Response.Headers.Add("Bob", "Hello");
                await next.Invoke();


The Bob header was being added, but X-Frame-Options stubbonly remained.
In the end I found the solution was to use:

// Remove X-Frame-Options, allowing Framing
            builder.Services.AddAntiforgery(options =>
                options.SuppressXFrameOptionsHeader = true;

No comments:

Post a Comment