How do I use X–Frame–Options's "ALLOW–FROM" directive?
The X-Frame-Options header has a directive, ALLOW-FROM, which is obsolete. It has limited browser support and is improved by the frame-ancestors Content Security Policy directive. To quote MDN: “don’t use it.”
If you need to set this directive value for some reason, you can create your own small middleware function. Here’s what that might look like:
// NOTE: `ALLOW-FROM` is not supported in most browsers.
app.use((req, res, next) => {
res.setHeader("X-Frame-Options", "ALLOW-FROM https://example.com");
next();
});