# Iframe Vulnerability Disclosure Report
Hey everyone, today I’d like to share a security vulnerability we recently discovered and fixed on our platform.
The issue was related to how our platform handled embedded pages using `<iframe>` elements.
## What Was the Vulnerability?
Our platform allowed users to embed our pages inside their own websites using the HTML `<iframe>` tag.
At first glance, this might seem harmless after all, iframes are widely used for embedding content like videos or widgets.
However, in this case, the ability to freely embed the platform posed **a serious security risk**.
> [!note]
> The `<iframe>` element allows a website to load another webpage inside a frame of its own page.
> While it can be useful for integration, it can also become a vector for attacks if not properly controlled.
## Why Was This Important?
Attackers could take advantage of this by embedding our platform inside a malicious website.
They could then **trick users** into believing they were interacting with our legitimate site while secretly capturing sensitive data, such as login credentials or session tokens.
> [!warning]
> This technique is commonly referred to as **Clickjacking** an attack where users are deceived into performing actions they didn’t intend to, on a site they think is trusted.
If left unresolved, this could have resulted in **data theft, credential compromise, or unauthorized access** to user accounts.
## How We Fixed It
To mitigate the risk, we implemented several key security headers:
```http
Content-Security-Policy: frame-ancestors 'none';
X-Frame-Options: DENY;
```
These headers ensure that our platform’s pages cannot be loaded inside any external website or frame, effectively **blocking iframe embedding altogether**.
> [!tip]
> The `X-Frame-Options` header is the most direct and reliable way to prevent iframe-based attacks.
> It can be set to `DENY` or `SAMEORIGIN` depending on whether you want to allow internal framing or not.
## Lessons Learned
Security vulnerabilities like this remind us that **even small configuration oversights can have major consequences**.
Embedding content is often seen as a convenience feature, but it must always be controlled through proper security policies.
> [!important]
> Always validate and restrict where your web pages can be loaded from.
> Misconfigured iframes are one of the easiest yet most impactful attack vectors in web security.
## Conclusion
We’ve since patched the issue and verified that all pages are now protected against iframe embedding.
Security is an ongoing process, and this case was another valuable lesson in **proactive defense** and **responsible vulnerability management**.
Sign in with Wallet
Connect another wallet