NetSuite Login Pages and iFrame Prohibition

Security policies and contractual agreements prohibit displaying a NetSuite login page in an iFrame. For more information about this prohibition, see Secure Login Access to Your NetSuite Account.

As of January 2015, we have been prohibiting the use of iFrames on the following login pages:

• /pages/customerlogin.jsp

  For example: https://system.netsuite.com/pages/customerlogin.jsp

• /pages/login.jsp

  For example: https://system.netsuite.com/pages/login.jsp

This prohibition protects your account against clickjacking attacks. For more information about defending against this vulnerability, visit the OWASP website to review the Clickjacking Defense Cheat Sheet. The iFrame prohibition is a part of best practices described in RFC7034 - HTTP Header Field X-Frame-Options.

To allow logins through NetSuite, you must create a login page hosted on the NetSuite secure server and display a link to this login page on a different page.

See Creating Custom Pages for Login to Your NetSuite Account for more information.

Related Topics

• NetSuite Login Pages
• Types of Login Pages for Your NetSuite Account
• Creating Custom Pages for Login to Your NetSuite Account
• Customizing Login and Logout Behavior
• Choose Role Page

General Notices