Submit a ticketCall us

AnnouncementsChange Is Inevitable

Get valuable help when it comes to tracking and monitoring changes. SolarWinds® Server Configuration Monitor (SCM) is designed to help you: detect, track, and receive alerts when changes occur, correlate system performance against configuration changes, compare server and application configuration against custom baselines, and verify application and system changes.

Learn more.

Home > Success Center > Network Performance Monitor (NPM) > NPM - Knowledgebase Articles > NPM 11.5 and later prevents an iFrame from displaying within an external web site or a custom web page

NPM 11.5 and later prevents an iFrame from displaying within an external web site or a custom web page


The Orion web configuration is changed in NPM 11.5 as a security measure to prevent Cross-Site Request Forgery (CSRF) and Clickjacking attacks.  As a result, displaying resources on Orion in an a custom web page is not possible.  


  • NPM 11.5  
  • Orion Platform 2015.1.x


The following was added to the web config as a security measure.


X-Same-Domain: 1
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block



  • Consult your System Administrator before performing the following procedure. 
  • The following changes will make the Orion Web Console vulnerable to Cross-Site Request Forgery (CSRF) and Click-jacking attacks.
  • SolarWinds strongly recommends that you only edit the web.cfg file as instructed. Any additional modifications may result in system performance issues or may create an error state.
  • Save a copy of the original web.cfg file to your local drive as a backup file, in case you need to roll back later.


  1. Go to the web folder. By default, it is located at C:\inetpub\SolarWinds.
  2. Open the web.cfg file for editing.
  3. Delete the following key from the file: <add name="X-Frame-Options" value="SAMEORIGIN" />
  4. Click Save.
  5. Press Ctrl+F5 from your web browser. 
Last modified