Skip to main content

HTTP Headers

First, we need to prepare your web application to serve the correct HTTP headers to allow iFraming inside TestBox.

Removing X-Frame-Options

Many web apps today include an X-Frame-Options header on all responses with a value of DENY. This prevents your web app from being framed anywhere. This is generally a safe option, but unfortunately is incompatible with integrating with TestBox.

The first step is to remove your usage of this header. We will instead use the more advanced Content-Security-Policy header to control the framing of your web app. Plus, doing so will move your web app in to the future, as X-Frame-Options is considered obsolete!

Adding or changing Content-Security-Policy

frame-ancestors https://*.testbox.com/;

If you do not currently use Content-Security-Policy, you should prepare your web framework to add this header to all HTTP responses. The minimal Content-Security-Policy value that works with TestBox would look like this in an HTTP response:

Content-Security-Policy: frame-ancestors https://*.testbox.com/;

If you currently serve a Content-Security-Policy header, you may want to add our domain to any pre-existing frame-ancestors:

Content-Security-Policy: frame-ancestors https://*.testbox.com/ https://*.anotherwebsite.com/;

Additional advantages to Content-Security-Policy

Content-Security-Policy is a powerful browser feature to protect the security and integrity of your web app. It allows you to control, very specifically, what content is allowed to load and execute on your site. If you are introducing Content-Security-Policy to your web app for the first time, we definitely suggest you have a look at some of the other directives available to you.

Dynamically allowing framing

If you are not comfortable with removing the X-Frame-Options header entirely, you may want to consider dynamically removing the header based on whether or not an account is a TestBox account. However, this would require usage of JWT-based SSO, something that is discussed in auto-login. Please contact us for guidance if this is an option you'd like to explore.