Advanced Website: Load site in an iFrame

The information in this article is relevant only for Pro users at this time. For information about booking websites for Lite users, refer to the Guesty Booking Engine

You may want to allow your site to be embedded in an iframe on a different case (for example, to create a template page with your sites). Allowing a site to be loaded inside of an iframe in another site may allow malicious actors to use your site and brand to trick visitors into clicking the wrong link or submitting data to outside sources. Only enable this option if you want the site to be loaded in an iframe.


By default, the ability to load your site in an iframe on another site is disabled. We recommend not changing the default unless it is mandatory for your specific site. Sites created before April 5, 2020 are permitted to be displayed in an iframe.

To enable the ability to load the site in an iframe:

  1. In the left panel, click Settings, and then click Site SSL.
  2. Click the Allow site to be loaded in an iframe toggle.

Security settings

The following security settings have been implemented to inform browsers that the site should not load inside of an iframe:

  • x-frame-options: SAMEORIGIN
  • content-security-policy: frame-ancestors 'self'

The x-frame-options setting is the original version, while content-security-policy is a newer setting that is not fully supported by all browsers, yet. These tell browsers that the site should not be loaded within an iframe.

These settings are implemented by default to implement the best security practices out of the box. Allowing sites not to load within an iframe by default is a small step to prevent sites from being used for ClickJacking. ClickJacking is where a malicious user loads the site inside of some frame, while using the design of the site to try and get users to pass personal information that can be intercepted or collected.

Was this article helpful?
0 out of 0 found this helpful