You are here

Drupal and X-Frame-Options

Submitted by dalles on Mon, 03/13/2017 - 16:34



Our school's main web platform is shifting to Drupal and what we have discovered is that we can no longer embed departmental websites into iframes and display that content inside our portal. I've done some research on clickjacking, which appears to be the reason behind Drupal using the X-Frame-Options configuration to deny the request. We are having a meeting to discuss this but I would like to know if anyone else has experienced this issue. Are there really security issues around displaying a departmental webpage inside a Luminis portal when both sites are hosted within the same institution?

Any info would be appreciated.


University of Vermont

Luminis Version:

Hi David,

I manage the Drupal infrastructure here at Lehigh University. It is possible to have Drupal remove the X-Frame-Options header so that you can embed it. The real issue with embedding websites comes from allowing it to be embedded on other sites that are out of your control.

You can have your administrator remove this new feature if required, however I'd recommend taking a look at

I would strongly recommend that you set up Сontent-Security-Policy using that module or a similar fashion.

If you need any assistance outside of this you get a hold of me using my handle here.