I just wanted to reach out and see if anyone had experience with creating a Canvas App displaying their external Web Application in Salesforce. If so, when going through the security review what did you do/not do regarding the X-Frame-Options Headers. Given that the Canvas App will be in an IFrame in another origin, how do you resolve security violations of not including the X-Frame-Options header in your Web Application . The possible values are Deny or Allow Same Origin, both of which won't work unless I'm missing something.