Skip to main content

Secure Application Content

SEI can be embedded into other websites—for example, some Sage products use SEI within their web portal. Embedding can introduce the risk of clickjacking attacks if malicious sites attempt to embed SEI without authorization.

To prevent unauthorized embedding, configure a content security policy (CSP) with the frame-ancestors directive. This restricts which websites can display SEI content in an iframe.

Add a content security policy

To control which sites are allowed to embed SEI in an <iframe>, configure a Content-Security-Policy header using either the web.config file or IIS Manager. The frame-ancestors directive defines the list of authorized parent sites.

Method 1: Update the web.config file

  1. Open File Explorer and navigate to:
    C:\Program Files\Nectari\Nectari Server\WebServer\web.config
  2. Locate the <customHeaders> section.
  3. Add or update the CSP header with your list of allowed URLs:
    <add name="Content-Security-Policy" value="frame-ancestors http://website1.url.com https://website2.url.com"/>
  4. Save the file and restart the web server if required.

Example URLs

TypeExample URL
Standard domainhttp://example.nectari.com
Wildcard subdomainshttps://*.nectari.com
Localhost developmenthttp://localhost/*

Example customHeaders section

<httpProtocol>
    <customHeaders>
        <add name="X-UA-Compatible" value="IE=edge" />
        <!-- Removes the header showing the technologies used by the web server -->
        <remove name="X-Powered-By" />
            <add name="Content-Security-Policy" value="frame-ancestors http://localhost/*" />
    </customHeaders>
</httpProtocol>

Method 2: Configure CSP headers in IIS

  1. Open IIS Manager (inetmgr).
  2. Select your SEI site and open HTTP Response Headers.
  3. In the Actions panel, click Add.
  4. Set Name to Content-Security-Policy.
  5. Set Value to your list of allowed site URLs.
  6. Click Ok.
  7. Repeat steps 3–6 for each additional allowed site.

Obsolete X-Frame-Options directive

The older X-Frame-Options header (including values like ALLOWFROM) is no longer supported by most modern browsers and should not be used to secure SEI in embedded scenarios.

  • SAMEORIGIN and DENY still function but are unsuitable for environments where SEI must be embedded in another site.
  • For full browser compatibility, use the Content Security Policy frame-ancestors directive instead.
important

Do not rely on the deprecated ALLOWFROM or ALLOWURL directives — they are unsupported in Chrome, Firefox, and nearly all modern browsers.