There's a fairly recent update to Account Engagement that everyone should enable in their accounts right away, it only takes a few moments but it provides peace of mind and security that matters now more than ever.
The setting restricts iframing of your Account Engagement assets to only the domains you specify.
This help article explains it in depth but it's really quite easy. Just head over to your Account Engagement settings, and on your main account page, hit edit, and then scroll down to this section.
Here you can add only the domains that you want to be able to host your iframed forms, any other domain and the iframe won't load. Now, be sure to consider all the possible subdomains or other places you might have your forms hosted beyond your main website such as customer portals, salesforce communities, even your own tracker domains might have an extra form embedded, and that counts too. So make sure you consider everything. And of course you can add more later if you missed one.
If you do want to use iframed assets on your tracker subdomains, there is now a secondary setting on the tracker domain that allows or disallows iframes on the tracker domains too, so make sure you check that out as well.
This will restrict your iframes to only web locations of your choosing, since an iframe can be called from anywhere and embedded on any website. It won't, however, prevent your form from being accessed or submitted independently, since any form is also a kind of landing page by itself.
The more we can do to restrict our online assets only to the places we want them to appear, the better. So what are you waiting for? You could have updated this setting in the time it took to read this article.
