< class="prominent-subhead ">

Preventing Cross Frame Scripting (XFS) via X-Frame-Options

This article was created in response to a support issue logged with K2. The content may include typographical errors and may be revised at any time without notice. This article is not considered official documentation for K2 software and is provided "as is" with no warranties.


Cross-Frame Scripting (XFS) is an attack that combines malicious JavaScript with an iframe that loads a legitimate page in an effort to steal data from an unsuspecting user. When customers performed penetration tests or other similar security audits on their K2 Smartforms, they may receive reports explaining that Smartforms is vunerable to Cross-Frame Scripting.

This can be easily resolved by making sure Smartforms repond with the X-Frame-Options response header. The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page in <frame>, <iframe> or <objects>. By default, K2 Smartforms is not set up with X-Frame-Options header configured.


  • Penetration tests, or other security audits will indicate that K2 Smartforms has failed the Cross-Frame Scripting test.
  • It is possible to display Smartforms on another web page by embedding an iframe to load Smartforms.

Troubleshooting Steps

Please note that setting X-Frame-Options will also prevent your SmartForms forms from loading properly within your SharePoint site.

  1. On the web server that is hosting your Smartforms, go to [Program Files]\K2\K2 Smartforms Runtime, open web.config, and add the X-Frame-Options, so that it looks similar to this in the Smartforms Runtime web.config:

          <add name="X-Frame-Options" value="SAMEORIGIN" />
  2. Perform IISRESET to apply the settings.
  3. You can also configure the same for your K2 Designer. Just edit web.config from [Program Files]\K2\K2 Smartforms Designer, and follow the same steps above.

Alternatively, you can also do it through the IIS Manager.