Skip to main content

Secure Application Content

SEI can be embedded into other websites—for example, some Sage products use SEI inside their web portal. However, this also introduces the risk of clickjacking attacks if malicious sites embed SEI without authorization.

To prevent unauthorized embedding, configure a Content Security Policy (CSP) with the frame-ancestors directive. This restricts which websites can display SEI content in an iframe.

Add a content security policy

You can enforce frame-ancestor rules using either the web.config file or IIS Manager.

Method 1: Edit web.config file

  1. Open File Explorer and go to:
    C:\Program Files\Nectari\Nectari Server\WebServer\web.config
  2. Locate the <customHeaders> section.
  3. Add or update this line with your allowed website URLs:
    <add name="Content-Security-Policy" value="frame-ancestors http://website1.url.com https://website2.url.com"/>
  4. Save the file and restart your web server if needed.

Example of URLs

  • http://example.nectari.com
  • https://*.nectari.com
  • For localhost development: http://localhost/*

Your <customHeaders> section might look like:

<httpProtocol>
    <customHeaders>
        <add name="X-UA-Compatible" value="IE=edge" />
        <!-- Removes the header showing the technologies used by the web server -->
        <remove name="X-Powered-By" />
            <add name="Content-Security-Policy" value="frame-ancestors http://localhost/*" />
    </customHeaders>
</httpProtocol>

Method 2: Set CSP Headers in IIS

  1. Open IIS Manager (inetmgr).
  2. Go to your SEI site and open HTTP Response Headers in the IIS section.
  3. In the Actions panel, click Add.
  4. Set Name to Content-Security-Policy.
  5. Set Value to your whitelist of allowed site URLs.
  6. Click Ok.
  7. Repeat steps 3–6 for each additional allowed site.

Obsolete X-Frame-Options directive

The older X-Frame-Options header (such as ALLOWFROM) is mostly unsupported in modern browsers and should not be used to secure SEI for embedded scenarios.

  • SAMEORIGIN and DENY still work but are not recommended for embedded integrations.
  • For complete browser compatibility, always prefer the CSP frame-ancestors directive.
important

Avoid using the deprecated ALLOWFROM or ALLOWURL directives—they are no longer supported in Chrome, Firefox, and most modern browsers.