Access ( is setting X-Frame-Options: DENY

I’m using the product Cloudflare Access ( to protect some of my sites.
Independent of the authentication service (tested with one-time password and Google), Cloudflare is redirecting after first access to with the header X-Frame-Options set to DENY.

On regular websites or browsers this isn’t an issue. In the worst case, I need to open the embedded page separately to authenticate. After that the side will be loaded inside the iframe.

My issue is, I want to embed a protected site with an iframe into an Android app which is build around chromium (kind of PWA). Due to the fact that Chrome and PWA does not share application data (e.g. cookies) I get always a ERR_BLOCKED_BY_RESPONSE.

Is there a workaround to get rid of this X-Frame-Options header or to set the allowed hosts? The issue is definitely on Cloudflare’s side.

In my current case I use a third party monitoring app which allows to embed additional content through iframes. What I want to achieve is embedding Grafana which is protected with Cloudflare Access.

Thank you!
Cheers Danny

For security reasons, by default the deny rules are defined; some domains allow you to do this like Youtube, or wikipedia, others for security reasons do not allow it. If the header is defined by Cloudflare, it may not allow other configuration; since it is a serious failure to allow frame from other domains.

1 Like