class Helmet::FrameGuardHandler


When your webpage can be put in a frame (like an iframe), you can be vulnerable to a kind of attack called clickjacking, where your page is invisible on another page but is being interacted with.

The X-Frame-Options HTTP header restricts who can put your site in a frame. It has three modes: DENY, SAMEORIGIN, and ALLOW-FROM.

Allow this page to be put in frames on the same origin

You can specify this explicitly:

sameorigin = Helmet::FrameGuardHandler::Origin::Same
server ="", 8080, [ allow_from: sameorigin,
  # ...

It's also the default:

server ="", 8080, [,
  # ...

Don't allow this page to be put in frames (from anywhere)

nowhere = Helmet::FrameGuardHandler::Origin::Nowhere
server ="", 8080, [ allow_from: nowhere,

Allow this page to be framed by a specific origin

server ="", 8080, [ allow_from: "",
  # ...

Defined in:


Class Method Summary

Instance Method Summary

Class Method Detail

def = Origin::Same) #

[View source]

Instance Method Detail

def call(context : HTTP::Server::Context) #

[View source]