What are security headers?
The X-Frame-Options HTTP response header is used to indicate whether a browser is allowed to render a page in a <frame>, <iframe>, <embed> or <object>. This security header instructs the browser to prevent any site with this header in the response from being rendered within a frame, thus avoiding click-jacking attacks.
Security headers in Instapage
The HTTP Strict Transport Security (HSTS), X-Frame-Options and X-XSS-Protection and X-Content-Type-Options headers are enabled by default on all CNAME published landing pages in Instapage.
The directive available is the max-age directive, which is 1 year.
Custom security headers
If you need custom security headers, you can set that up server-side by publishing through our WordPress or Drupal plugins, or Reverse Proxy.
The Drupal and WordPress plugins only proxies requests from our infrastructure but you will still have full control on which headers you want to set for your pages, as it is your server connecting with the visitors browser.
Alternatively, if you have an experienced developer on your team and are interested in publishing through Reverse Proxy, we offer instructions on setting up Reverse Proxy with Instapage for Convert Plan users.
Note: Security header changes made to one subdomain will be applied to all the subdomains on that domain. For example, a change applied to https://test.mydomain.com will also be applied to https://page.mydomain.com and other mydomain.com URLs.
Note: You may reach out to our Support team on live chat or at help@instapage.com to request to have the X-Frame-Options and/or X-XSS-Protection header disabled. If you would like to embed a landing page in an iframe, please note that we do not officially support this publishing method. If the page needs troubleshooting, we will troubleshoot the URL it is published on in our app. If you would like to embed a page, you can do so under your own responsibility.