Allow iFrame - Fix issue “Display forbidden by X-Frame-Options”


When you try to use your web page in an iFrame on a non-local site, the iFrame won't load or you get an error that says :“Display forbidden by X-Frame-Options”


The X-Frame Options header is set to "SAMEORIGIN" server-wide on the source server


For IIS servers, add an X-Frame Options header in the web.config file of the site you want to source the page from.
1. Open your source site's web.config file./div>
2. Search "X-Frame".
    a. If no results, continue to step 3.
    b. If there is already an X-Frame Options httpProtocol, change value from "SAMEORIGIN" or "DENY"
3. Search "</system.webServer> Just before that tag insert the following code:
      <add name="X-Frame-Options" value="ALLOW-FROM" />
4. Change to the domain name that you are using the iFrame on.
The webpages for your site should now load in an iFrame.

Test it:

  1. Go to and insert the URL that you want to use in your iFrame. Click Preview. The page will fail to load.
  2. Change the URL in the X-Frame-Option httpProtocol to
  3. Go to and insert your URL that you want to use in the iFrame. Click Preview. The page should load now.
This confirms that the httpProtocol X-Frame-Options header is working in the web.config file.

Add Feedback