Removing X-Frame-Options in ASP.NET MVC Core 7

I had an ASP.NET Core 7 App that used forms.

And I actually WANTED it to be used within an iFrame.

As soon as you add a form to a Web App, the server immediately starts returning X-Frame-Options: SameOrigin in all requests.

I tried a variety of means to remove this, including:

app.UseStaticFiles();

            app.Use(async (context, next) =>

            {

                context.Response.Headers.Remove("X-Frame-Options");

                context.Response.Headers.Add("Bob", "Hello");

                await next.Invoke();

            });

            app.UseRouting();

The Bob header was being added, but X-Frame-Options stubbonly remained.

In the end I found the solution was to use:

// Remove X-Frame-Options, allowing Framing

            builder.Services.AddAntiforgery(options =>

            {

                options.SuppressXFrameOptionsHeader = true;

            });

The ASP.NET Core security headers guide (elmah.io)

Enable Cross-Origin Requests (CORS) in ASP.NET Core | Microsoft Learn

ASP.NET Core Middleware | Microsoft Learn