Bubbles X-Frame Deny vs Content Security Policies & Site Security?

Hey guys,

Just wondering if anyone can shed some light on (what could be) a (possible) site security issue …

For a standard site, probably not a big deal but when you’re dealing with money, you want to minimize all risks …

I want to block my bubble app from being embedded into an iFrame but also give it an exception (of the main domain), i.e. bubbleapp.maindomain.com >> allow to be iFrame embedded into maindomain.com (Only).

Bubbles current (X Frame) options;


“Same Origin” doesn’t apply here.

After a little investigative journey, it appears “Content Security Policies” are preferred for all newer browsers as X-Frame policies are being depreciated.

I’m not a coder (hence why I love Bubble), but I’ve been trying to figure out how to use Content Security Policies within Bubble by adding something like this in the scripts header >> Settings >> SEO / metatags >> Script/metatags in header >>


Problem is, it appears Bubbles X-Frame options override any scripts in the meta header OR there’s something wrong with my script (probably the later)…

OR is there a better place to add the security policy in the server files somewhere?

Testing using a nifty little tool, this is what’s being returned;

So I’m a bit stuck on how to block iFrame embeds while allowing exceptions … if anyone has some more insight, I’m sure the community would be interested also …

Thank you,


This topic was automatically closed after 70 days. New replies are no longer allowed.