A request that’s come up from time to time is how to embed Mattermost in web applications using an iframe.
Any web application embedded into another using an iframe is at risk of security exploits, since the outer application intercepts all user input into the embedded application, an exploit known as Click-Jacking. By default, Mattermost disables embedding.
If you choose to embed Mattermost using the following instructions we highly recommend it is done only on a private network that you control.
To embed Mattermost in an iframe update your NGINX configuration to strip out the security policy settings in the HTTP header.
Replace all occurrences of the following line in your proxy config:
proxy_set_header X-Frame-Options SAMEORIGIN
With the following two lines:
proxy_hide_header Content-Security-Policy;
proxy_hide_header X-Frame-Options;
You can view related forum posts here.