HTTPS Embedding Security: Prevent Data Theft - Blog

TL;DR

An attacker can steal information from your HTTPS page if they embed it in a malicious website using an </code> or similar technique. This is because the browser still loads your content, even within another site. The key to preventing this is using Content Security Policy (CSP) and Frame Ancestors headers on your server.</p> <h2>How Embedding Works & Why It’s a Risk</h2> <p>Imagine you have a secure banking page (<code>https://yourbank.com</code>). An attacker creates a fake website (<code>http://evil.example.com</code>) and embeds your banking page within it using an <code><iframe></code> tag:</p> <pre><code><iframe src="https://yourbank.com" width="800" height="600">

Users visiting http://evil.example.com will see your banking page loaded inside the attacker’s site. They might think they are on your legitimate website, and enter their login details – which are then sent to the attacker.

Steps to Protect Your HTTPS Page

Understand Content Security Policy (CSP)

CSP is a security standard that tells the browser where it’s allowed to load resources from. It helps prevent cross-site scripting (XSS) and embedding attacks.
You configure CSP using HTTP headers sent by your server.

Implement Frame Ancestors Header

The Frame-Ancestors header specifically controls which domains are allowed to embed your page in an </code>.</li> <li>To allow only your own domain, set the header like this:</li> </ul> <pre><code>Header always set X-Frame-Options "SAMEORIGIN"</code></pre> <ul> <li>This tells the browser to only allow embedding from pages on the same origin (domain, protocol and port).</li> <li>If you need to allow specific other domains:</li> </ul> <pre><code>Header always set X-Frame-Ancestors "yourbank.com anotherdomain.com"</code></pre> <ul> <li><strong>Important:</strong> Be very careful about which domains you allow! Only include trusted sites.</li> </ul> <li><strong>Configure CSP for your web server</strong></li> <ul> <li>The exact method depends on your web server (Apache, Nginx, etc.). Here are some examples:</li> <li><strong>Apache (.htaccess file):</strong> Add the following line to your <code>.htaccess</code> file:</li> </ul> <pre><code>Header always set Content-Security-Policy "frame-ancestors 'self' yourbank.com;"</code></pre> <ul> <li><strong>Nginx (configuration file):</strong> Add the following to your server block configuration:</li> </ul> <pre><code>add_header Content-Security-Policy "frame-ancestors 'self' yourbank.com;";</code></pre> <ul> <li>Replace <code>yourbank.com</code> with your actual domain(s). The `’self’` keyword allows embedding from the same origin.</li> </ul> <li><strong>Test Your Configuration</strong></li> <ul> <li>Use a browser developer tool (usually by pressing F12) to check if the headers are being sent correctly. Look in the ‘Network’ tab and inspect the response headers for your page.</li> <li>You can also use online CSP testing tools like <a href="https://csp-evaluator.withgoogle.com/">CSP Evaluator</a>.</li> </ul> <li><strong>Regularly Review Your CSP</strong></li> <ul> <li>As your website evolves, you might need to update your CSP to reflect changes in allowed domains or resources.</li> </ul> </ol> <h2>Additional Considerations</h2> <ul> <li><strong>X-Frame-Options vs. Content-Security-Policy:</strong> <code>X-Frame-Options</code> is an older header, and CSP is generally preferred as it offers more flexibility and control.</li> <li><strong>Subdomains:</strong> If you want to allow embedding from subdomains of your domain, you’ll need to include them specifically in the <code>Frame-Ancestors</code> directive (e.g., <code>yourbank.com *.yourbank.com</code>).</li> </ul> </div> <div class="saxon-social-share-fixed sidebar-position-right"> <div class="post-social-wrapper"> <div class="post-social-title">Share:</div> <div class="post-social"> <a title="Share with Facebook" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="facebook" data-title="HTTPS Embedding Security: Prevent Data Theft" class="facebook-share"> <i class="fa fa-facebook"></i></a><a title="Tweet this" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="twitter" data-title="HTTPS Embedding Security: Prevent Data Theft" class="twitter-share"> <i class="fa fa-twitter"></i></a><a title="Share with LinkedIn" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="linkedin" data-title="HTTPS Embedding Security: Prevent Data Theft" data-image="" class="linkedin-share"> <i class="fa fa-linkedin"></i></a><a title="Pin this" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="pinterest" data-title="HTTPS Embedding Security: Prevent Data Theft" data-image="" class="pinterest-share"> <i class="fa fa-pinterest"></i></a><a title="Share to WhatsApp" href="whatsapp://send?text=HTTPS+Embedding+Security%3A+Prevent+Data+Theft: https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="link" class="whatsapp-share"> <i class="fa fa-whatsapp"></i></a><a title="Share by Email" href="mailto:?subject=HTTPS⠀Embedding⠀Security:⠀Prevent⠀Data⠀Theft&body=https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="link" class="email-share"> <i class="fa fa-envelope-o"></i></a> </div> <div class="clear"></div> </div> </div> </div> </div> </article> <div class="saxon-post saxon-post-bottom"> <div class="post-details-bottom"> <div class="post-info-tags"> </div> <div class="post-info-wrapper"> <div class="post-info-views"><i class="fa fa-eye" aria-hidden="true"></i>43</div> </div> <div class="post-info-share"> <div class="post-social-wrapper"> <div class="post-social-title">Share:</div> <div class="post-social"> <a title="Share with Facebook" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="facebook" data-title="HTTPS Embedding Security: Prevent Data Theft" class="facebook-share"> <i class="fa fa-facebook"></i></a><a title="Tweet this" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="twitter" data-title="HTTPS Embedding Security: Prevent Data Theft" class="twitter-share"> <i class="fa fa-twitter"></i></a><a title="Share with LinkedIn" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="linkedin" data-title="HTTPS Embedding Security: Prevent Data Theft" data-image="" class="linkedin-share"> <i class="fa fa-linkedin"></i></a><a title="Pin this" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="pinterest" data-title="HTTPS Embedding Security: Prevent Data Theft" data-image="" class="pinterest-share"> <i class="fa fa-pinterest"></i></a><a title="Share to WhatsApp" href="whatsapp://send?text=HTTPS+Embedding+Security%3A+Prevent+Data+Theft: https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="link" class="whatsapp-share"> <i class="fa fa-whatsapp"></i></a><a title="Share by Email" href="mailto:?subject=HTTPS⠀Embedding⠀Security:⠀Prevent⠀Data⠀Theft&body=https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/" data-type="link" class="email-share"> <i class="fa fa-envelope-o"></i></a> </div> <div class="clear"></div> </div> </div> </div> </div> </div> <nav id="nav-below" class="navigation-post"> <div class="container-fluid"> <div class="row"> <div class="col-md-6 nav-post-prev saxon-post no-image"> <a href="https://blog.g5cybersecurity.com/http-request-smuggling-attack/" class="nav-post-title-link"><div class="nav-post-title">Previous</div><div class="nav-post-name">HTTP Request Smuggling Attack</div></a> </div> <div class="col-md-6 nav-post-next saxon-post no-image"> <a href="https://blog.g5cybersecurity.com/https-key-deletion-security-benefits/" class="nav-post-title-link"><div class="nav-post-title">Next</div><div class="nav-post-name">HTTPS Key Deletion: Security Benefits?</div></a> </div> </div> </div> </nav> <div class="blog-post-related-wrapper clearfix"><h5>Related posts</h5><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zip-codes-pii-are-they-personal-data/">Zip Codes & PII: Are They Personal Data?</a></h3><div class="post-date">January 3, 2026</div></div></div><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zero-day-vulnerabilities-user-defence-guide/">Zero-Day Vulnerabilities: User Defence Guide</a></h3><div class="post-date">January 3, 2026</div></div></div><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zero-knowledge-voting-with-trusted-server/">Zero Knowledge Voting with Trusted Server</a></h3><div class="post-date">January 3, 2026</div></div></div><div class="saxon-postsmasonry1-post saxon-postsmasonry1_2-post saxon-post saxon-post-no-image format-" data-aos="fade-up"><div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zeronet-51-attack-risks-mitigation/">ZeroNet: 51% Attack Risks & Mitigation</a></h3><div class="post-date">January 3, 2026</div></div></div></div> </div> <div class="col-md-4 post-sidebar sidebar sidebar-right" role="complementary"> <ul id="post-sidebar"> <li id="saxon-list-posts-3" class="widget widget_saxon_list_entries"> <h2 class="widgettitle">Something Fresh</h2> <ul> <li class="template-shortline"> <div class="saxon-shortline-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zip-codes-pii-are-they-personal-data/">Zip Codes & PII: Are They Personal Data?</a></h3><div class="post-date">January 3, 2026</div></div></div> </li> <li class="template-shortline"> <div class="saxon-shortline-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zeronet-51-attack-risks-mitigation/">ZeroNet: 51% Attack Risks & Mitigation</a></h3><div class="post-date">January 3, 2026</div></div></div> </li> <li class="template-shortline"> <div class="saxon-shortline-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-details"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zero-knowledge-voting-with-trusted-server/">Zero Knowledge Voting with Trusted Server</a></h3><div class="post-date">January 3, 2026</div></div></div> </li> </ul> </li> <li id="saxon-posts-slider-2" class="widget widget_saxon_posts_slider"> <h2 class="widgettitle">What People Reading</h2> <div class="widget-post-slider-wrapper owl-carousel widget-post-slider-wrapper-3265378"> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/yubikey-security-initial-setup-with-yubi-cloud/">YubiKey Security: Initial Setup with Yubi Cloud</a></h3><div class="post-date">January 3, 2026</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zero-day-vulnerabilities-user-defence-guide/">Zero-Day Vulnerabilities: User Defence Guide</a></h3><div class="post-date">January 3, 2026</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/feedback-and-data-driven-updates-to-googles-disclosure-policy/">Feedback and data-driven updates to Googles disclosure policy</a></h3><div class="post-date">August 1, 2022</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/cyber-security/">Cyber Security</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/zap-brute-force-passwords/">ZAP: Brute Force Passwords</a></h3><div class="post-date">January 3, 2026</div></div></div></div></div> <div class="saxon-overlay-alt-post saxon-post saxon-post-no-image" data-aos="fade-up"><div class="saxon-post-wrapper-inner"><div class="saxon-post-details"> <div class="post-categories"><a href="https://blog.g5cybersecurity.com/category/news/">News</a></div> <div class="saxon-post-details-inner"> <h3 class="post-title"><a href="https://blog.g5cybersecurity.com/security-insider-interview-series-john-mcarthur-senior-product-manager-ip-intelligence-and-rupert-young-senior-director-software-engineering-data-compilation-and-identity-neustar/">Security Insider Interview Series: John McArthur, Senior Product Manager, IP Intelligence; and Rupert Young, Senior Director Software Engineering, Data Compilation and Identity, Neustar</a></h3><div class="post-date">August 1, 2022</div></div></div></div></div> </div> </li> <li id="saxon-categories-2" class="widget widget_saxon_categories"><h2 class="widgettitle">Categories</h2> <div class="post-categories"> <a href="https://blog.g5cybersecurity.com/category/cyber-security/" data-style="">Cyber Security<span class="post-categories-counter">36865</span></a><a href="https://blog.g5cybersecurity.com/category/interviews/" data-style="">Interviews<span class="post-categories-counter">353</span></a><a href="https://blog.g5cybersecurity.com/category/news/" data-style="">News<span class="post-categories-counter">137174</span></a> </div> </li> <li id="saxon-text-1" class="widget widget_saxon_text"> <div class="saxon-textwidget-wrapper saxon-textwidget-no-paddings"> <div class="saxon-textwidget" data-style="background-image: url(http://wp.magnium-themes.com/saxon/saxon-1/wp-content/uploads/2018/10/saxon-00026.jpg);padding: 120px 40px 120px 40px;color: #ffffff;text-align: center;"><h5 style="color:#ffffff">Partners</h5> <h3 style="color:#ffffff">Just add here your partners image or promo text</h3><a class="btn" href="#" target="_self">Read More</a></div> </div> </li> </ul> </div> </div> </div> </div> <a class="scroll-to-top btn alt" aria-label="Scroll to top" href="#top"></a> <div class="footer-wrapper"> <footer class="footer-black"> <div class="container"> <div class="row"> <div class="col-md-12 footer-menu" role="navigation"> </div> <div class="col-md-12 col-sm-12 footer-copyright"> <p>© Copyright <a href="http://g5cybersecurity.com" target="_blank" rel="noopener">G5 Cyber Security</a>, Protecting businesses and families from data breaches.</p> </div> </div> </div> </footer> </div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"\/*"},{"not":{"href_matches":["\/wp-*.php","\/wp-admin\/*","\/wp-content\/uploads\/sites\/6\/*","\/wp-content\/*","\/wp-content\/plugins\/*","\/wp-content\/themes\/saxon-child\/*","\/wp-content\/themes\/saxon\/*","\/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script> <script id='kirki-viewport-lists'>var kirkiViewports = {"md":{"value":1200,"scale":1,"minWidth":1200,"maxWidth":1200,"title":"Desktop","icon":"desktop","activeIcon":"desktop-hover","id":"md","type":"max"},"tablet":{"value":991,"scale":1,"minWidth":991,"maxWidth":991,"title":"Tablet","icon":"tablet-default","activeIcon":"tablet-hover","type":"max","id":"tablet"},"mobileLandscape":{"value":767,"scale":1,"minWidth":767,"maxWidth":767,"title":"Landscape","icon":"phone-hr-default","activeIcon":"phone-hr-hover","type":"max","id":"mobileLandscape"},"mobile":{"value":575,"scale":1,"minWidth":575,"maxWidth":575,"title":"Mobile","icon":"phone-vr-default","activeIcon":"phone-vr-hover","type":"max","id":"mobile"}};</script><script id='kirki-variable-lists'>var kirkiCSSVariable = {"data":[{"title":"Colors","key":"color","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Numbers","key":"size","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Text Styles","key":"text-style","modes":[{"title":"Default","key":"default"}],"variables":[]},{"title":"Font Family","key":"font-family","modes":[{"title":"Default","key":"default"}],"variables":[]}]};</script><script id="kirki-api-and-nonce"> window.wp_kirki = { ajaxUrl: "https://blog.g5cybersecurity.com/wp-admin/admin-ajax.php", restUrl: "https://blog.g5cybersecurity.com/wp-json/", siteUrl: "https://blog.g5cybersecurity.com", apiVersion: "v1", postId: "177704", nonce: "c28b55cccc", call_from: "", templateId: "", context: {"id":177704,"type":"post"} }; </script> <script type="text/javascript"> var sbiajaxurl = "https://blog.g5cybersecurity.com/wp-admin/admin-ajax.php"; </script> <div id="amp-mobile-version-switcher" hidden> <a rel="" href="https://blog.g5cybersecurity.com/https-embedding-security-prevent-data-theft/?amp=1"> Go to mobile version </a> </div> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/aos/aos.js?ver=2.3.1" id="aos-js"></script> <script type="text/javascript" id="thickbox-js-extra"> /* <![CDATA[ */ var thickboxL10n = {"next":"Next >","prev":"< Prev","image":"Image","of":"of","close":"Close","noiframes":"This feature requires inline frames. You have iframes disabled or your browser does not support them.","loadingAnimation":"https:\/\/blog.g5cybersecurity.com\/wp-includes\/js\/thickbox\/loadingAnimation.gif"}; /* ]]> */ </script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-includes/js/thickbox/thickbox.js?ver=3.1-20121105" id="thickbox-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/bootstrap.min.js?ver=3.1.1" id="bootstrap-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/easing.js?ver=1.3" id="easing-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/select2/select2.min.js?ver=3.5.1" id="saxon-select2-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/owl-carousel/owl.carousel.min.js?ver=2.0.0" id="owl-carousel-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/js/template.js?ver=1.3" id="saxon-script-js"></script> <script type="text/javascript" id="saxon-script-js-after"> /* <![CDATA[ */ (function($){ $(document).ready(function($) { "use strict"; $(".content-block ").on("click", ".saxon-post .post-like-button", function(e){ e.preventDefault(); e.stopPropagation(); var postlikes = $(this).next(".post-like-counter").text(); var postid = $(this).data("id"); if(getCookie("saxon-likes-for-post-"+postid) == 1) { // Already liked } else { setCookie("saxon-likes-for-post-"+postid, "1", 365); $(this).children("i").attr("class", "fa fa-heart"); $(this).next(".post-like-counter").text(parseInt(postlikes) + 1); var data = { action: "saxon_likes", postid: postid, }; var ajaxurl = "https://blog.g5cybersecurity.com/wp-admin/admin-ajax.php"; $.post( ajaxurl, data, function(response) { var wpdata = response; }); } }); }); })(jQuery); (function($){ $(document).ready(function() { "use strict"; var owl = $(".sidebar .widget.widget_saxon_posts_slider .widget-post-slider-wrapper.widget-post-slider-wrapper-3265378"); owl.owlCarousel({ loop: true, items:1, autoplay:false, autowidth: false, autoplayTimeout:4000, autoplaySpeed: 1000, navSpeed: 1000, dots: false, responsive: { 1199:{ items:1 }, 979:{ items:1 }, 768:{ items:1 }, 479:{ items:1 }, 0:{ items:1 } } }); });})(jQuery); /* ]]> */ </script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/themes/saxon/inc/modules/mega-menu/js/mega-menu.js?ver=1.0.0" id="saxon-mega-menu-js"></script> <script type="text/javascript" src="https://blog.g5cybersecurity.com/wp-content/plugins/enlighter/cache/X6_enlighterjs.min.js?ver=0A0B0C" id="enlighterjs-js"></script> <script type="text/javascript" id="enlighterjs-js-after"> /* <![CDATA[ */ !function(e,n){if("undefined"!=typeof EnlighterJS){var o={"selectors":{"block":"pre.EnlighterJSRAW","inline":"code.EnlighterJSRAW"},"options":{"indent":4,"ampersandCleanup":true,"linehover":true,"rawcodeDbclick":false,"textOverflow":"break","linenumbers":true,"theme":"enlighter","language":"generic","retainCssClasses":false,"collapse":false,"toolbarOuter":"","toolbarTop":"{BTN_RAW}{BTN_COPY}{BTN_WINDOW}{BTN_WEBSITE}","toolbarBottom":""}};(e.EnlighterJSINIT=function(){EnlighterJS.init(o.selectors.block,o.selectors.inline,o.options)})()}else{(n&&(n.error||n.log)||function(){})("Error: EnlighterJS resources not loaded yet!")}}(window,console); /* ]]> */ </script> </body> </html>