IFrames, X-Frame-Options and how to disable Clickjacking protection

2 min read

What is Clickjacking?

Clickjacking (classified as a User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a user into clicking on something different from what the user perceives, thus potentially revealing confidential information or allowing others to take control of their computer while clicking on seemingly innocuous objects, including web pages.
– Wikipedia

GridPane Clickjacking Protection

By default, GridPane enables clickjacking protection on all websites. This is an important security measure designed to keep your website and your visitors safe.


An IFrame is a way of inserting content from an external source into your website. Iframes by their very nature are insecure and by enabling them you’re opening up potential security vulnerability which could direct unknowing website visitors to unsafe sites.

Clickjacking protection will block iframes from external sources until you manually disable it.

There are, however, some cases which require clickjacking to be disabled in order to work, and we have a GP-CLI command that you can run to disable it on specific websites.


The X-Frame-Options response header lets a browser know whether it’s allowed to render a page inside an <iframe>, <frame>, <embed> or <object> tag.

Learn more about the X-Frame-Options response header here: 

Disabling Clickjacking via GP-CLI

If you need to disable clickjacking we recommend configuring and enabling CSP headers in its place. This will allow you to set sources for your iframes at a granular level:

Step 1. SSH into your server

Please see the following articles to get started:

Generate your SSH Key:

Generate SSH Key on Mac

Generate SSH Key on Windows with Putty

Generate SSH Key on Windows with Windows Subsystem for Linux

Generate SSH Key on Windows with Windows CMD/PowerShell

Add your SSH Key to GridPane:

Add default SSH Keys

Add/Remove an SSH Key to/from an Active GridPane Server

Connect to your server:

Connect to a GridPane server by SSH as Root user.

Step 2. Disable Clickjacking

To turn off clickjacking protection on a specific website, SSH into your server and run the following command (replacing “site.url” with your websites domain name):

gp site site.url -clickjacking-protection-off


gp site gridpane.com -clickjacking-protection-off