I have an IdentityServer4 project in .Net Core 3.0, I have tried removing the X-Frame-Options header but failed. I have tried with:
public void ConfigureServices(IServiceCollection services)
{
...
services.AddAntiforgery(options => options.SuppressXFrameOptionsHeader = true);
...
}
and
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
...
app.Use(async (context, next) =>
{
context.Response.Headers.Remove("X-Frame-Options");
await next();
});
...
}
The above is because I need to load the web page from an iframe. I really appreciate your help. Thank you.
Its' really a bad practice to host your login screen in an iframe, because then the user who is authenticating can't be 100% sure he is logging in to the expected IdentityServer and not to a hacked server. It's all about trust and the URL of the IdentitServer (or identityprovider) is the only way to be sure the user is logging in to the correct server.
If you still need to remove it, do look at the SecurityHeadersAttribute.cs class in the IdentityServer user-interface.