- To defend against ClickJacking attacks, configure a list of allowed hosts. The content security policy (CSP) frame-ancestors and X-Frame-Options are not included in the whitelist. Add them explicitly to the whitelist.
[# 706431, 705731]
If you choose not to use this option, by default the CSP frame-ancestor and X-Frame-Options are not used. However, you can go under “System->System Administration-> Configure Allowed URLs List” to add hosts to frame-ancestors whitelist. For example, check below :
To understand which hosts to configure here, please contact your security advisor or you can also go through the below link to read about the security features of this header :