By default, all sites hosted at Seravo include the X-Frame-Options: SAMEORIGIN header. This security feature prevents unauthorized sites from embedding your content via iframes, protecting your site from clickjacking attacks.
While these default security rules cannot be removed entirely, they can be overridden or relaxed using the methods below.
Recommended Methods to Allow iframes
1. Using PHP (Recommended for WordPress)
You can modify the headers directly in your PHP code (e.g., in functions.php). This is useful for allowing embeds on specific sections of your site based on the URL.
if ( strpos($_SERVER['REQUEST_URI'], '/widget/') !== false ) {
header("X-Frame-Options: ALLOWALL"); }2. Using Nginx Configuration
If a section of your site does not use PHP functionality, you can apply a nginx rule directly to the location block:
location /widget/ {
add_header X-Frame-Options ALLOWALL; }Modern vs. Legacy Browser Support
When configuring access, keep in mind that the standards are evolving:
Legacy Browsers: Use the
X-Frame-Options: ALLOWALLheader. Note that whileALLOWALLis not an official keyword in the spec, it is widely supported by most browsers.Modern Browsers: Use Content-Security-Policy (CSP) with the
frame-ancestorsdirective. This is the modern successor to X-Frame-Options.
Note: If a site emits a frame-ancestors header, modern browsers will prioritize those rules and ignore any conflicting X-Frame-Options settings.
Example for a specific domain: Content-Security-Policy: frame-ancestors https://example.com