onvibe.run

← All docs

Embedding & Clickjacking Protection

By default a deployed app cannot be embedded in an <iframe> by any site. The platform sends X-Frame-Options: DENY and Content-Security-Policy: frame-ancestors 'none' on every response. This protects against clickjacking — including being framed by another app, since every app lives under the shared onvibe.run parent domain.

You do not need to do anything to get this protection; it is on by default.

Making an app embeddable

If your app is a widget, demo, or anything meant to be embedded in other sites, opt out by adding security.frame to onvibe.json:

{
  "security": {
    "frame": "allow"
  }
}
frame value Effect
(omitted) or "deny" / "none" Default. The app cannot be framed by anyone.
"sameorigin" / "self" The app can only be framed by pages on its own origin.
"allow" / "any" The app can be embedded by any site (no anti-framing headers).

The setting is applied automatically on the next deploy — no code change in main.ts is needed.

Notes:

Read this page as Markdown (best for LLMs) · plain text
onvibe.run · home · all docs