Security headers and embedding your pages

What are security headers?

The X-Frame-Options HTTP response header is used to indicate whether a browser is allowed to render a page in a <frame>, <iframe>, <embed> or <object>. This security header instructs the browser to prevent any site with this header in the response from being rendered within a frame, thus avoiding click-jacking attacks.

Security headers in Instapage

The HTTP Strict Transport Security (HSTS), X-Frame-Options and X-XSS-Protection headers are enabled by default on all CNAME published landing pages in Instapage.

Custom security headers

If you need custom security headers, you can set that up server side by publishing through our WordPress or Drupal plugins, or Reverse Proxy.

The Drupal and WordPress plugins only proxies requests from our infrastructure but you will still have full control on which headers you want to set for your pages, as it is your server connecting with the visitors browser.

Alternatively, if you have an experienced developer on your team and are interested in publishing through Reverse Proxy, we offer instructions on setting up Reverse Proxy with Instapage for Convert Plan users.


Note: You may reach out to our Support team on live chat or at to request to have the X-Frame-Options and/or X-XSS-Protection header disabled. If you would like to embed a landing page in an iframe, please note that we do not officially support this publishing method. If the page needs troubleshooting, we will troubleshoot the URL it is published on in our app. If you would like to embed a page, you can do so under your own responsibility.