Hello there Anvil community,
When reading about iFrames I discovered that there are quite a lot of possible security threats related to them. I won’t go through all of them but you can find them here.
My question is as follows; what does Anvil do to minimise or even eliminate iFrame risks? I’m especially referring to a scenario in which you would embed an iFrame of an Anvil app into lets say a WordPress website.
Also, would it be considered secure enough to do this with highly sensitive data?
I’m not a security expert, but there’s not enough context in your question to begin to provide an answer. If you’re planning to build your own page to include your own Anvil app, then as your linked article states “This scenario is clearly harmless. Your page is trusted, the content in the iFrame is trusted, nothing can go wrong.”
Hi,
I also plan to use some anvil apps using iframes mainly in Wordpress.
To make it safe (or safer), it is recommended to make changes to the security headers on your webserver to only allow specific websites to run using iframe.
With Wordpress there are security header plugins you can install which make it easier to change the settings. When my anvil apps are ready, they will run as iframes and my Wordpress website will only run iframes from specified urls.
All the prevention methods detailed in the blog you referenced I believe can be applied using the security header plugins or manually (at your own risk) to your .htaccess file or equivalent.
Hope this is of some help.