chore: allow shoogle.dev to embed site in iframe (#1913)

mxkaske · claude · web-flow · commit e9b7934ccdab · 2026-03-03T17:26:54.000+01:00
Replace X-Frame-Options with Content-Security-Policy frame-ancestors
directive to allow embedding from shoogle.dev while maintaining
self-origin protection.

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/web/next.config.ts b/apps/web/next.config.ts
@@ -1,11 +1,11 @@
 import { withSentryConfig } from "@sentry/nextjs";
 import type { NextConfig } from "next";
 
-// REMINDER: avoid Clickjacking attacks by setting the X-Frame-Options header
+// REMINDER: avoid Clickjacking attacks by setting the frame-ancestors directive
 const securityHeaders = [
   {
-    key: "X-Frame-Options",
-    value: "SAMEORIGIN",
+    key: "Content-Security-Policy",
+    value: "frame-ancestors 'self' https://shoogle.dev",
   },
 ];
 
