NetSuite Changelog
CommerceRelease NotesNew FeatureSecuritySuiteCommerce

Allow Site to Be Framed: Enhancing Security in NetSuite

Learn about the Allow Site to Be Framed feature in NetSuite, which controls whether web pages can be embedded in iframes.

·3 min read·4 views·View Oracle Docs

TL;DR Opening

The Allow Site to Be Framed feature in NetSuite enables control over whether your web pages can be embedded in an HTML iframe. This setting is crucial for managing content security and ensuring that user sessions remain intact while interacting with embedded content.

What is the Allow Site to Be Framed Feature?

The Allow Site to Be Framed setting adds HTTP headers that determine the conditions under which your web pages can be framed. While it facilitates embedding, it's important to be cautious with this feature due to modern cookie management practices that can affect site functionality.

Options for Allow Framing

The feature provides three configuration options:

  • Disallow Framing: This is the default setting that allows framing only by the exact same domain/origin.
  • Allow Framing: This option permits framing by any domain/origin.
  • Allow Framing Custom: Here, you can specify a list of authorized domains/origins that are allowed to frame your web pages.

Important Note: Although enabling framing can help render pages, be aware that critical features like login, cart, and checkout may not function properly when the parent domain of the iframe differs from your SuiteCommerce domain.

How to Configure Framing Settings

To configure the Allow Site to Be Framed settings, follow these steps:

  1. Navigate to Advanced > Security in the NetSuite UI.
  2. Locate the setting for Allow Site to Be Framed.
  3. Choose your desired option: Disallow, Allow, or Custom.
  4. If opting for Allow Framing Custom, populate the allowed domains list appropriately.

Allow Site to Be Framed By

The Allow Site to Be Framed By array provides additional configuration to choose which origins are permitted to display pages in a frame. By default, it includes the SAMEORIGIN directive to allow framing by your own domain.

Properties:

  • ID: security.allowFramingBy
  • UI location: Advanced > Security
  • JSON file: SecurityHeaders.json

Adding Headers to SSP Responses

Furthermore, you can enhance your security setup by adding HTTP headers to your Servlet-Specific Protocol (SSP) responses. Here are two critical properties involved:

  • Name: Define the HTTPS header name (case insensitive).
  • Value: Specify the corresponding value for the HTTPS header.

Additional Information

To learn more about managing secure communication, refer to the HTTPS header documentation. Ensuring that your HTTPS calls comply with best security practices is paramount, especially in today’s security-centric online environment.

Who This Affects

  • Developers: When implementing framing options and understanding cookie management.
  • Administrators: Responsible for configuring security settings in the NetSuite dashboard.

Key Takeaways

  • The Allow Site to Be Framed feature controls iframe embedding for web pages.
  • Be cautious as modern cookie practices may hinder functionality in iframes.
  • Configuration options include disallowing, allowing, or customizing allowed domains.

Source: This article is based on Oracle's official NetSuite documentation.

Frequently Asked Questions (4)

What are the configuration options for the Allow Site to Be Framed setting in NetSuite 2026.1?
The Allow Site to Be Framed setting offers three options: Disallow Framing, Allow Framing, and Allow Framing Custom. Disallow Framing restricts framing to the same domain only, Allow Framing permits any domain to frame your pages, and Allow Framing Custom lets you specify trusted domains that can frame your web pages.
How does the Allow Site to Be Framed setting interact with session-dependent features like login or checkout?
Session-dependent features may encounter issues when your web store is framed by a domain different from your SuiteCommerce domain. This is because while framing settings change how pages are rendered, they do not affect cookie behavior, potentially causing login and cart functionality failures.
Do I need to update any NetSuite configuration files when customizing the Allow Site to Be Framed setting?
Yes, if you require customization at the code level for the Allow Site to Be Framed setting, you should incorporate these security headers into the SecurityHeaders.json file as part of your configuration.
Can enabling the Allow Framing option in NetSuite 2026.1 introduce security risks?
Yes, allowing your site to be framed by any domain can expose it to potential security risks. It is recommended to use the Disallow Framing option for enhanced security or specify trusted domains using the Allow Framing Custom setting to mitigate such risks.

Weekly Update History (1)

SuiteCommerce Solutions (SC, SCA, SCMA)updated

Updated Allow Site to Be Framed to clarify that the Allow Site to be Framed setting doesn't change how browsers treat cookies or how NetSuite sets session cookies.

View Oracle Docs
Source: Allow Site to Be Framed Oracle NetSuite Help Center. This article was generated from official Oracle documentation and enriched with additional context and best practices.

Was this article helpful?

More in Commerce

View all Commerce articles →