Prevent nesting site in iFrame (#2148)

scottmakestech · web-flow · commit d6d78f61f2a1 · 2026-02-13T15:30:35.000-06:00
Sets frame-ancestors property to none to prevent nesting this site in an iframe. Although we already set X-Frame-Options to deny, this is the modern CSP method for declaring this setting. Fixes #1080.
diff --git a/config/_default/server.toml b/config/_default/server.toml
@@ -65,6 +65,7 @@ Content-Security-Policy = """
         https://d4twhgtvn0ff5.cloudfront.net/
         https://letsencrypt-merch.myshopify.com
     ;
+    frame-ancestors 'none';
 """
 
 [[headers]]
diff --git a/netlify.toml b/netlify.toml
@@ -83,6 +83,7 @@ Content-Security-Policy = """
         https://www.paypal.com
         https://www.google-analytics.com
     ;
+    frame-ancestors 'none';
 """
 
 [[headers]]

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,7 @@ Content-Security-Policy = """`
`65`	`65`	`https://d4twhgtvn0ff5.cloudfront.net/`
`66`	`66`	`https://letsencrypt-merch.myshopify.com`
`67`	`67`	`;`
	`68`	`+ frame-ancestors 'none';`
`68`	`69`	`"""`
`69`	`70`
`70`	`71`	`[[headers]]`
Original file line number	Diff line number	Diff line change
`@@ -83,6 +83,7 @@ Content-Security-Policy = """`
`83`	`83`	`https://www.paypal.com`
`84`	`84`	`https://www.google-analytics.com`
`85`	`85`	`;`
	`86`	`+ frame-ancestors 'none';`
`86`	`87`	`"""`
`87`	`88`
`88`	`89`	`[[headers]]`