Security
SecurityLow

Iframe Sandboxing

Checks embedded iframes for sandbox attribute restricting capabilities.

What this check measures

We list all `<iframe>` tags and check for a `sandbox` attribute. Iframes embedding third-party content (ads, widgets, videos) should restrict capabilities via sandbox.

Why it matters

Unsandboxed iframes can run scripts, submit forms, access storage, and navigate the top window — all under your domain's CSP and cookies. Malicious or compromised third-party content becomes a full compromise.

search

How our audit detects it

Parse iframe tags. For each with external src, check for sandbox attribute. Recommended value varies by use case but should not be empty.

Typical findings

  • error_outlineYouTube embed without sandbox (low risk — trusted source).
  • error_outlineThird-party ad iframe unsandboxed.
  • error_outlineCustom widget iframe with unrestricted capabilities.

How to fix

Add `sandbox="allow-scripts allow-same-origin"` as a starting baseline. Remove permissions the embed doesn't need. For untrusted content use empty `sandbox=""` (maximum restriction).

Frequently asked questions

Does sandbox break YouTube embeds?expand_more
Needs allow-scripts, allow-same-origin, allow-presentation. YouTube's docs list the required flags.

Want this checked on your site?

Pantra runs the full audit (SEO, Security, GEO, Performance, Schema, Technical, Images) in 10 seconds and generates stack-specific fix prompts.

Scan my site

Related checks

Security

HTTPS Enabled

Checks that the site serves over HTTPS and redirects HTTP to HTTPS.

Security

TLS Version

Checks that the server uses TLS 1.2 or higher — older versions are broken.

Security

Mixed Content

Checks for HTTP resources loaded on HTTPS pages — browsers block or warn.

Security

SSL Certificate

Checks that the SSL certificate is valid, not expired, and not expiring soon.

Learn more in the Glossaryarrow_forward