How to block others from spoofing with iframe of my site

Update: It worked when I tested it. Are some of the admin files in WP ‘iFrames’????

There is a method to block the cross-domain content calling and display with iFrame, you can try put in this code in htaccess:

Header always append X-Frame-Options SAMEORIGIN

Do I copy that exactly and where in the htaccess file, anywhere? Thank you

I will suggest you to put the code into root folder .htaccess file. Just paste in the code into anyway in .htaccess file will do

@webmistressofthedark: The original snippet you provided has nothing to do with iframes. Neither does it provide security of any sort. And it surely doesn’t have anything to do with WordPress updates.

If you were the “Jane” that posted on this StackOverflow Q&A about 5 hours ago, the downvote should have given you a hint.

The traditional way to prevent iframing is to the X-Frame-Options HTTP response header. In your .htacess file (for Apache and drop-in replacements), you’d use a single line like this:

Header set x-frame-options SAMEORIGIN

This would prevent other sites from displaying your site in an iframe, but still allow you to iframe any of your site’s URLs on the same site (that’s the SAMEORIGIN bit).

But this approach is deprecated in all modern browsers and may not always work as intended.

The modern and recommended approach is to use the frame-ancestors directive in a Content-Security-Policy header.

The easiest way to implement this would be to use a CSP/HTTP Headers plugin. If you’re using a general security plugin, it may already have iframe protection or general CSP headers capability built-in.

And talking about general security, I highly recommend reviewing the Hardening WordPress document and implementing most (if not all) the recommendations. Even if you’re using a security plugin, it’s still a good idea to review this document to understand what features to enable in the plugin.

Good luck!

Well I might have asked elsewhere but not sure why a downvote would tell me anything since I did not see it and the question was if the snippet my host gave me was correct. I guess if they downvote honest questions I don’t want to go there again.

And I have no understanding of your explanation. I just want to know where to put what code.

Thanks for nothing!

I guess if they downvote honest questions I don’t want to go there again.

That was not a question you (or whoever the “Jane” is) asked.

It was a response — a wrong answer — to someone’s question and deserved the downvote.

The thread was asking about that code. The question was an additional query about the same code that was given by the host to add to the htaccess file. Sorry that the coding Gods were offended.

I guess respect was lost after my generation.

I guess respect was lost after my generation.

Communities have ALWAYS had rules though, online or offline, irrespective of generation. And there are often consequences when those rules are not followed, with ignorance not being a widely accepted excuse.

Anyway, I’m unsubscribed and out of this thread.

Good luck!