TheArchive/zitadel
1
0
Fork 0
mirror of https://github.com/zitadel/zitadel.git synced 2025-01-06 14:17:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

move iframe usage to solution scenarios configurations

Browse Source
This commit is contained in:
Livio Spring 2022-12-07 07:08:10 +01:00
parent f5da95e25a
commit 9db31f3808
No known key found for this signature in database
GPG Key ID: 26BB1C2FA5952CF0
1 changed files with 34 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
docs/docs/guides/solution-scenarios/configurations.mdx
View File

@ -74,3 +74,37 @@ Go to the "Advanced" section, per default login with email address should be all
![Login Policy Advanced Setting: Disable email for login](/img/guides/scenarios/login_policy_advanced.png)
## Embedding ZITADEL in an iFrame
To maximise the security during login and in the Console UI, ZITADEL follows security best practices by setting a
Content-Security-Policy (CSP) and X-Frame-Options:
```
Content-Security-Policy: frame-ancestors 'none'
X-Frame-Options: deny
```
These settings block the use of serving it in an iframe to prevents clickjacking attacks.
### Enable iFrame embedding
:::caution
This change can make you vulnerable to clickjacking attacks.
:::
If your applications need to load ZITADEL inside an iframe, e.g. for a silent login or silent refresh, you can enable the use on an instance level.
1. Navigate to the Instance Settings.
2. Click on the Security Policy tab.
3. Enable the "IFrame use" and add the host(s) you load the iframe from.
You can add further hosts later on.
[//]: # (TODO: add image)
This will change the CSP to the following:
```
Content-Security-Policy: frame-ancestors https://custom-domain.com
```
and remove the X-Frame-Options header.