Howto allow ruby on rails 4 app to be embedded into another website via iframe

In this mini post I’ll show you how to embed your ruby on rails 4 app into another website via frame or iframe. In general it’s responsibility of the web server “nginx, apache, etc…” to modify “X-Frame-Options” header to allow other sites to frame or iframe your site, and by default almost all web servers do not set this header, so all sites are allowed to embed your site via frame or iframe, but if the “X-Frame-Options” header not set by default in all web server, so

Why other sites can not embed your ruby on rails 4 app via frame or iframe?

This because Rails 4 adds a default “X-Frame-Options” HTTP header value of “SAMEORIGIN” in it’s response header and sends this header to either client’s browser or to the web server to send it to the client’s browser, This is good for security.

Every HTTP response from your Rails application receives the following default security headers:

X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff

All we need is replace “X-Frame-Options: SAMEORIGIN” with “X-Frame-Options: “ALLOW-FROM URI“” in your application.rb, so edit your rails application.rb and add the following code into it:

$ vim config/application.rb

config.action_dispatch.default_headers = {
 'X-Frame-Options' => 'ALLOW-FROM http://www.example.com',
 'X-XSS-Protection' => '1; mode=block',
 'X-Content-Type-Options' => 'nosniff'
}

Replace “www.example.com” with the site tries to embed your site. Now, your rails app can be embedded in the site you specified in the above code.

Hints:
1. I only changed "X-Frame-Options" header, and kept the other two headers with their default values for improving security.
2. If you only added "X-Frame-Options", this will remove the other two response headers "Do not do this step".