Bitrix Framework

The limits on the frame work can be activated/deactivated on the page Anti-frame protection (Settings > Proactive Protection > Anti-frame protection).

The prohibition to use of cross-domain frames referring to resource pages is introduced by setting the header X-Frame-Options to the value SAMEORIGIN.

Anti-frame protection in Bitrix24 On-premise editions using BitrixVM

Both Bitrix24 On-premise editions and Bitrix Virtual Appliance have anti-frame protection available inside Bitrix24 control panels. You will find header for anti-frame protection in the nginx config file at /etc/nginx/bx/conf/general-add_header.conf. Such entry looks as follows:

add_header X-Frame-Options SAMEORIGIN;

The same header is added when you enable anti-frame protection using the proactive protection module. And, you can configure exceptions, if such header is not required, for different Internet metrics and analytics services.

BitrixVM with standard settings can have a situation, when nginx config overlaps the general system anti-frame protection setup. In this case, header will be always available, even if disabled in the control panel settings. But, with anti-frame protection enabled, header will be duplicated and sites added as exceptions to anti-frame protection - won't work correctly.

A solution for such situation is to use only a single tool. It's recommended to use Anti-frame protection feature available in Bitrix24 to avoid necessity of regular updates for server config files. You can comment out the header once in the file /etc/nginx/bx/conf/general-add_header.conf for BitrixVM:

#add_header X-Frame-Options SAMEORIGIN;

And then you can enable anti-frame protection via Proactive protection > Anti-frame protection.

Now X-Frame-Options header will be written correctly and you can add exceptions via control panel, without changes to server configuration files.