Allow Site to Be Framed Setting in NetSuite 2026.1

The Allow Site to Be Framed feature, introduced in NetSuite 2026.1, allows administrators to set HTTP headers that dictate whether web pages can be displayed within an HTML iframe. This flexibility is significant for web store deployment and integration with other applications, but there are important considerations to keep in mind.

Feature Overview

This setting provides three possible configurations:

Disallow Framing (default setting): Pages can only be framed by the exact same domain/origin. This is the most restrictive option and is recommended for enhanced security.
Allow Framing: Pages can be framed by any domain/origin. While this eases integration with various services, it may expose the site to security risks.
Allow Framing Custom: Administrators can specify a list of allowed domains/origins. Only pages from these trusted entities are permitted to frame the web pages, striking a balance between usability and security.

Important Notes

Session Management: Importantly, while the Allow Framing settings adjust how pages are rendered, they do not change cookie behavior. Session-dependent features like login, cart functionalities, and checkout processes may encounter issues when a web store is framed by a different domain than your SuiteCommerce domain.
Best Practices: Due to modern restrictions on third-party cookies, using iframes is generally not considered a best practice for web stores. The potential for login and cart failures suggests that careful consideration is necessary before enabling any framing options.

Implementation

To configure the Allow Site to Be Framed setting:

Navigate to Advanced > Security in the NetSuite UI.
Adjust the Allow Framing setting as per your requirements.
Use the SecurityHeaders.json file to incorporate these security headers if customizing at a code level.

Who This Affects

This change primarily impacts:

Web Developers: Those configuring site integrations will need to understand how framing affects user sessions and security.
NetSuite Administrators: Responsible for implementing and managing security settings within the platform.

Key Takeaways

The Allow Site to Be Framed feature empowers control over whether web pages can be nested within iframes.
It includes options to entirely disallow framing or allow specific domains while keeping security in mind.
Caution is advised regarding session dependency issues that could arise when framing web pages from different domains.
The feature reflects a shift towards flexible online commerce solutions while maintaining security protocols.
Always consider the user experience impacts of allowing your site to be framed by third-party domains.

Frequently Asked Questions (4)

What are the configuration options for the Allow Site to Be Framed setting in NetSuite 2026.1?

The Allow Site to Be Framed setting offers three options: Disallow Framing, Allow Framing, and Allow Framing Custom. Disallow Framing restricts framing to the same domain only, Allow Framing permits any domain to frame your pages, and Allow Framing Custom lets you specify trusted domains that can frame your web pages.

How does the Allow Site to Be Framed setting interact with session-dependent features like login or checkout?

Session-dependent features may encounter issues when your web store is framed by a domain different from your SuiteCommerce domain. This is because while framing settings change how pages are rendered, they do not affect cookie behavior, potentially causing login and cart functionality failures.

Do I need to update any NetSuite configuration files when customizing the Allow Site to Be Framed setting?

Yes, if you require customization at the code level for the Allow Site to Be Framed setting, you should incorporate these security headers into the SecurityHeaders.json file as part of your configuration.

Can enabling the Allow Framing option in NetSuite 2026.1 introduce security risks?

Yes, allowing your site to be framed by any domain can expose it to potential security risks. It is recommended to use the Disallow Framing option for enhanced security or specify trusted domains using the Allow Framing Custom setting to mitigate such risks.