What is frameguard?
The frameguard npm package is used to help secure your web applications by setting the X-Frame-Options header. This header is used to control whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed>, or <object>. This can help prevent clickjacking attacks.
What are frameguard's main functionalities?
Deny
This feature sets the X-Frame-Options header to 'DENY', which means the page cannot be displayed in a frame, regardless of the site attempting to do so.
const frameguard = require('frameguard');
const express = require('express');
const app = express();
app.use(frameguard({ action: 'deny' }));
app.get('/', (req, res) => {
res.send('X-Frame-Options set to DENY');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
SameOrigin
This feature sets the X-Frame-Options header to 'SAMEORIGIN', which means the page can only be displayed in a frame on the same origin as the page itself.
const frameguard = require('frameguard');
const express = require('express');
const app = express();
app.use(frameguard({ action: 'sameorigin' }));
app.get('/', (req, res) => {
res.send('X-Frame-Options set to SAMEORIGIN');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
AllowFrom
This feature sets the X-Frame-Options header to 'ALLOW-FROM https://example.com', which means the page can only be displayed in a frame on the specified origin.
const frameguard = require('frameguard');
const express = require('express');
const app = express();
app.use(frameguard({ action: 'allow-from', domain: 'https://example.com' }));
app.get('/', (req, res) => {
res.send('X-Frame-Options set to ALLOW-FROM https://example.com');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
Other packages similar to frameguard
helmet
Helmet is a collection of 15 smaller middleware functions that set various HTTP headers to help secure your Express.js apps. It includes frameguard as one of its middleware functions, making it a more comprehensive security solution compared to using frameguard alone.
x-frame-options
The x-frame-options package is a simple middleware for setting the X-Frame-Options header. It offers similar functionality to frameguard but is more lightweight and focused solely on the X-Frame-Options header.
X-Frame-Options middleware
The X-Frame-Options
HTTP header restricts who can put your site in a frame which can help mitigate things like clickjacking attacks. The header has two modes: DENY
and SAMEORIGIN
.
This header is superseded by the frame-ancestors
Content Security Policy directive but is still useful on old browsers.
If your app does not need to be framed (and most don't) you can use DENY
. If your site can be in frames from the same origin, you can set it to SAMEORIGIN
.
Usage:
const frameguard = require("frameguard");
app.use(frameguard({ action: "deny" }));
app.use(frameguard({ action: "sameorigin" }));
app.use(frameguard());
A legacy action, ALLOW-FROM
, is not supported by this middleware. Read more here.