Warning! This documentation is a work in progress. Expect things to be out of date and not actually work according to instructions.

Clickjacking Protection

To prevent clickjacking attacks, by default, Stallion adds the header “X-Frame-Options: SAMEORIGIN” to only allow iframes from the same domain.

You can override this globally in your stallion.toml file by adding a setting `xFrameOptions=“ALLOW-FROM https://example.com/

You can override this for a particular endpoint by manually setting the header using Context.response().addHeader().

© 2018 Stallion Software LLC