Allowing Kintone Screens to Be Embedded in Other Web Sites

Article Number:02013

By default, you cannot embed Kintone content into other websites or systems.
To embed content, you must first enable the "Embedding into External Sites" option in Kintone Users & System Administration.

Embedding Contents

Embedding contents means that you use iframe tags or frame tags to render Kintone contents in other websites or systems.
For example, you can embed an inventory management app created in Kintone into your business system, so that team members can immediately check inventory figures.

Figure: Showing an image when Kintone app is embedded on a website

Security Risk

Enabling the "Embedding into External Sites" option may cause security risks.
It is recommended not to enable the "Embedding into External Sites" option unless necessary.

Possible risks you may encounter are Clickjacking and Cross-Site Request Forgery.


Clickjacking is an attack using transparent Web UI elements or other tricks to direct a user to click on a page different from what the user perceives they are viewing.
This attack can cause information leaks, for example, by tricking users into performing an action to disclose sensitive information without their awareness.

By default (the "Embedding into External Sites" option is disabled), "X-Frame-Options: SAMEORIGIN" is appended to the header of responses from the server.
This allows the web site to be rendered only when it is served from the domain that appears in the address bar of the Web browser. That is, no Kintone site can be rendered on attackers' sites.

Cross-Site Request Forgery

Cross-Site Request Forgery (CSRF) is an attack that induces a user to execute action against a site that is different from the site where that user actually executes an action such as filling a form.
For example, a user might unintentionally post comments to Kintone as a result of accessing a malicious site.

  • When the "Embedding into External Sites" option is disabled (default)
    Any action from another site for Kintone services is prohibited.
    This prevents unintentional user actions from being executed in Kintone.

  • When the "Embedding into External Sites" option is enabled
    Actions from another site for Kintone services are allowed.
    It might allow third parties to perform actions that the users do not intend to do. Be aware of the possible security risks when using this option.

Enabling The "Embedding into External Sites" Option

  1. Click gear shaped administration menu icon in the header.

  2. Click Users & System Administration.
    Accessing Kintone Users & System Administration

  3. Click Misc Settings. Screenshot: "Misc Settings" is highlighted

  4. On the "Misc Settings" screen, select "Allow" under "Embedding into External Sites".

  5. Click Save.

When the Change Made to the Setting Is Applied

The change made to the "Embedding into External Sites" option will be applied to at different timing depending on each user.
The new setting will be reflected when:

  • A user logs out and then logs in again
  • A user logs in again after the expiration of login session
    By default, login session remains valid for 24 hours after the last access.

Setting Needed for Safari

Safari for macOS does not support the embedding of the external website by default, even if the "Embedding into External Sites" option is enabled.
To display embedded content of Kintone, disable "Prevent cross-site tracking" in the Safari setting.