I've a form that I'd like to embed in a website, which is on my whitelist.
Other websites, that try to embed it, should get only an error page.
<iframe src="https://domain.tld/getForm.php?embed=1&formId=123456"></iframe>
I was hoping that I could use $_SERVER['HTTP_REFERER'] in getForm.php to check the embeding website, but it's not working.
Does anyone know a best practise or any workaround?
Thanks in advance!
Most browsers will support the X-Frame-Options header.
This header will prevent access:
X-Frame-Options: SAMEORIGIN
And this header to allow access:
X-Frame-Options: ALLOW-FROM [uri]
Examples for the options:
X-Frame-Options: DENY
X-Frame-Options: SAMEORIGIN
X-Frame-Options: ALLOW-FROM https://example.com/
An example in PHP:
<?php header('X-Frame-Options: SAMEORIGIN'); ?>
You can read further here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
Hope it helps a bit!