How do I add 'X-Frame-Options' directive.

Hi, we have an AWS cloud based JAVA installation of Outsystems and I am looking at how we can restrict Outsystems applications being embedded in an iframe in other applications.

I know we can use the 'frame-ancestors' and/or the 'X-Frame-Options' directives to achieve what we need and I have successfully managed to get the 'frame-ancestors' one to work through the  Platform security settings (Content-Security-Policy). However this works on Chrome, but doesn't work in IE.

So to solve, I want to also use the 'X-Frame-Options' directive and understand that it can be added via the 'Factory Configurations' module (from the Forge). I have downloaded Factory Configurations and tried updating the using the Shared Configurations, but without success. 

Has anyone tried this before, and can advise me on what to do.



Hi Neil,

Did you check the HTTPRequestHandler extention's AddHeader action? Or are you looking for a more generic approach?

Hey Neil,

It seems that Internet Explorer doesn't fully support Content Security Policy directives. You can check the supported directives here:

We are following the standards so that the browsers seamlessly support Content Security Policy headers added to OutSystems applications but, unfortunately, we cannot ensure that every browser supports every directive.

Let me know if you need any additional clarification.

By the way, thank you for your contribution Kilian!


Thanks Kilian and Lara for you replies.

In respect of what we need then the HTTPRequestHandler extention AddHeader action satisfies the requirements. By using the 'frame-ancestors' (via LifeTime) and the 'X-Frame-Headers' in the application it will cover pretty much all browsers. So I have a solution I can take forward.

By the way, this query is similar to a number of other platform configuration investigations we have done, so I guess I started out to look at how we could manage this directive through Configuration change as opposed to application code change.

Anyway, I now have a way forward so thanks again to you both 

Glad I could be of help. Good luck with your project.

We had used AddHeader or AddMetaTag method of HTTPRequestHandler extention for X-Frame-Options with value deny or SAMEORIGIN but then also security tool is showning us X-Frame-Options Header Not Set alert in report summary.Can any one help me how to resolve this security issue.

Hey Hemlata,

What browser are you using? Did you check if the X-Frame-Options header is sent on the request besides checking the security tool?

Also, doesn't Content Security Policy frame-ancestors directive apply to your scenario?


Hi Lara,

Thank you... and sorry for late reply, but I am still juggling with this issue.

Actually, I am getting 'X-Frame-Options Header Not Set' Risk when I run penetration tool ZAP Scanning tool.

I tried using Factory Configuration with Http Protocol, now I could see X-Frame-Options: SAMEORIGIN in Network Tab, Response Header. But when I run penetration tool, I am still getting Medium Risk  as : 'X-Frame-Options header is not included in the HTTP response to protect against 'ClickJacking' attacks.'

Please suggest a solution for this.


Hey Hemlata,

I am not familiarized with that scanning tool. 

However, I would suggest that you could try to understand if the browser is actually respecting the header by doing a simple test as it is being made here:

If the header is being enforced in the browser, the problem is with the scanning tool. Otherwise, we will need to understand what's happening.

Let me know about the results!


Hi All,

What is the right place to add X-Frame Options using HTTPRequestHandler?

Im creating a mobile application. Is ti wise to add it in the splash screen of the application?

If I add it in one action will it handles for all the request and screen handled by the application?

Or should I have to add it in every screen of the application?

Thanks & Regards,


Hi All,

Can anyone help me with the above query?


Hi Ajithkumar,

First, the reason why nobody replies is that you replied to a year-old thread that has already many answers (and ultimately was a different question). Next time, just start a new topic.

Secondly, you say you're creating a mobile app. Mobile apps run on the local device, there's no HTTP traffic in those case, so there's no X-Frame-Options. Also, HTTPRequestHandler is an Extension, and therefore cannot be used in Mobile.

I'm going to close this topic to prevent further derailment.