NetSuite Changelog
CommerceSecuritySuiteCommerceNew FeatureRelease Notes

Allow Site to Be Framed Configuration in NetSuite

Configure the Allow Site to Be Framed setting in NetSuite to manage iframe embedding and enhance security for your web store.

·2 min read·6 views·View Oracle Docs

The Allow Site to Be Framed feature enables you to set HTTP headers that determine whether your web pages can be embedded within an HTML iframe. This functionality is essential for developers and administrators looking to control how their web store content is displayed, while also addressing security concerns related to web frame embedding.

Understanding Framing Options

There are three primary options for configuring this setting:

  • Disallow Framing: This is the default setting, allowing pages to be framed only by the exact same domain/origin.
  • Allow Framing: This setting permits pages to be framed by any domain/origin.
  • Allow Framing Custom: With this option, you can specify a list of allowed domains/origins that can frame your web pages. This enhances security by restricting usage to only trusted domains.

Important Security Considerations

When utilizing Allow Framing or Allow Framing Custom, it is important to note that session-dependent features such as login, cart, and checkout may not function correctly if the iframe's parent domain differs from your SuiteCommerce domain. Thus, while the content can be displayed, full functionality cannot be guaranteed when framed by external domains.

Configuration Details

  • ID: security.allowFraming
  • UI Location: Advanced > Security
  • JSON File: SecurityHeaders.json

Allow Site to Be Framed By

This is an additional setting that allows you to specify which origins are permitted to show your pages in a frame. By default, the SAMEORIGIN value is included, enabling display from your own domain.

  • ID: security.allowFramingBy
  • UI Location: Advanced > Security
  • JSON File: SecurityHeaders.json

Adding Headers to SSP Responses

You can also enhance security by adding HTTP security headers to your HTTPS responses. Here’s how you can configure these headers:

  • Name (string): The name of the HTTPS header (case insensitive).

  • Value (string): The corresponding value for the HTTPS header.

  • ID: security.headers

  • UI Location: Advanced > Security

  • JSON File: SecurityHeaders.json

Conclusion

Configuring the Allow Site to Be Framed setting effectively is crucial for maintaining the integrity and security of your web store. Always weigh the pros and cons of allowing external domains to frame your content and implement any necessary restrictions to protect user sessions.

Key Takeaways

  • The setting controls iframe embedding of web pages.
  • Default setting disallows framing by domains other than itself.
  • Full functionality may be restricted when framed by different domains.
  • Security headers can be customized for enhanced protection.

Frequently Asked Questions (4)

What are the configuration options for the Allow Site to Be Framed setting in NetSuite 2026.1?
The Allow Site to Be Framed setting offers three options: Disallow Framing, Allow Framing, and Allow Framing Custom. Disallow Framing restricts framing to the same domain only, Allow Framing permits any domain to frame your pages, and Allow Framing Custom lets you specify trusted domains that can frame your web pages.
How does the Allow Site to Be Framed setting interact with session-dependent features like login or checkout?
Session-dependent features may encounter issues when your web store is framed by a domain different from your SuiteCommerce domain. This is because while framing settings change how pages are rendered, they do not affect cookie behavior, potentially causing login and cart functionality failures.
Do I need to update any NetSuite configuration files when customizing the Allow Site to Be Framed setting?
Yes, if you require customization at the code level for the Allow Site to Be Framed setting, you should incorporate these security headers into the SecurityHeaders.json file as part of your configuration.
Can enabling the Allow Framing option in NetSuite 2026.1 introduce security risks?
Yes, allowing your site to be framed by any domain can expose it to potential security risks. It is recommended to use the Disallow Framing option for enhanced security or specify trusted domains using the Allow Framing Custom setting to mitigate such risks.

Weekly Update History (1)

SuiteCommerce Solutions (SC, SCA, SCMA)updated

Updated Allow Site to Be Framed to clarify that the Allow Site to be Framed setting doesn't change how browsers treat cookies or how NetSuite sets session cookies.

View Oracle Docs
Source: Allow Site to Be Framed Oracle NetSuite Help Center. This article was generated from official Oracle documentation and enriched with additional context and best practices.

Was this article helpful?

More in Commerce

View all Commerce articles →