Iframe Usage
Medium SeverityWhat This Check Measures
This check detects the presence of <iframe> elements on the page. Iframes embed external content from other websites, which can introduce security risks if the embedded sources are not trustworthy.
Why It Matters
- Malicious Content — Iframes can load malware or phishing pages
- Clickjacking — Attackers can overlay invisible iframes to capture clicks
- Data Leakage — Third-party iframes can track user behavior
- Performance — External iframes slow down page loading
- Trust Dependency — Your site's security depends on iframe sources
How Data Is Obtained
Source File
src/checks/safety.check.js
Function
SafetyCheck.analyze(url)
Input
response.data — The HTML content returned by the target URL
Detection Logic
// Count iframe elements using regex
const iframes = response.data?.match(/<iframe/gi) || [];
checks.push({
name: 'Iframe Usage',
status: iframes.length > 0 ? 'warn' : 'pass',
description: iframes.length > 0
? `${iframes.length} iframes detected - verify they're from trusted sources`
: 'No iframes detected',
severity: 'medium'
});Libraries
axios— Fetches the page HTML- Native JavaScript
String.match()with regex
Status Values
| Status | Condition | Meaning |
|---|---|---|
| pass | No iframes found | Page doesn't embed external content via iframes. Lower risk. |
| warn | 1+ iframes detected | External content is embedded. Should verify sources are trustworthy. |
Severity: Medium
This check has medium severity because:
- Iframes from trusted sources (YouTube, Google Maps, etc.) are generally safe
- The risk depends entirely on the iframe source
- Many legitimate websites use iframes for embedding content
- It's a warning to verify, not an automatic security failure
Common Legitimate Iframe Uses
- YouTube/Vimeo video embeds
- Google Maps integration
- Social media widgets (Twitter, Facebook)
- Payment forms (Stripe, PayPal)
- Chat widgets (Intercom, Zendesk)
- Analytics dashboards
Security Best Practices
Securing Iframes
- sandbox attribute — Restrict iframe capabilities
- Only trusted sources — Only embed content from known, reputable domains
- X-Frame-Options header — Prevent your site from being iframed (see Security section)
- CSP frame-ancestors — Modern alternative to X-Frame-Options
- referrerpolicy — Control what referrer info is sent
Impact on Category Score
As a medium severity check with warn status, iframe detection has a moderate negative impact on the Safety & Threats score. A pass (no iframes) contributes positively.