Removing X-Frame-Options being added automatically only in Login page
MVC 5 automatically adds an X-Frame-Options Header, so go to your Global.asax
file and add this to the Application_Start()
method:
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
Please note that especially for a login page it is bad practice to remove this header, because it opens up your site for login credentials phishing attacks. So if this site of yours is publicly accessable I strongly recommend to keep this header.
Old question, but for other people searching for similar question, you can remove the X-Frame-Options
in specific actions using the following solution:
First, add this code to method Application_Start
in Global.asax.cs
(as @Florian Haider said):
System.Web.Helpers.AntiForgeryConfig.SuppressXFrameOptionsHeader = true;
This will suppress the header in all actions. Add a new file named NoIframeAttribute.cs
containing the following code:
using System.Web.Mvc;namespace MyApplication{ public class NoIframeAttribute : ActionFilterAttribute { public override void OnActionExecuting(ActionExecutingContext filterContext) { filterContext.HttpContext.Response.Headers.Set("X-Frame-Options", "SAMEORIGIN"); } }}
Add the following line to RegisterGlobalFilters
method in FilterConfig.cs
:
filters.Add(new NoIframeAttribute());
Now, we have the header added to all actions again. But now we can remove it when needed. Just add the following line wherever needed:
Response.Headers.Remove("X-Frame-Options");