After adding a custom domain to my asset canister, I noticed that iframe-referenced configurations were not blocked by the appropriate headers, potentially posing security risks for users. How can I add the X-Frame-Origin: DENY header?
Hi @paul.l
The boundary nodes automatically set this header on all API endpoints (query, call, status, read_state), but not on the HTTP endpoints (e.g., custom domains or canister-id.icp0.io).
I am assuming that you are using an asset canister. In that case, you can configure your own headers through .ic-assets.json. I couldn’t find the right docs (it’s not my area of expertise, sorry), but found some remotely related docs that show how to do it: Alternative frontend origins | Internet Computer
I asked internally and once I get the right link, I will post it here.
Here’s two links that should clarify ic-assets.json:
Basically the JSON file structure is an array at the root where each entry has a match string property with a glob pattern, headers property with a key/value list of headers and lastly optionally the allow_raw_access* boolean property to allow/block access on the raw sub domain.
* Raw access propery is basically redundant functionality in case of the asset canister with the new gateway architecture.
Thank you very much, this will help me solve my problem.