How to run a mendix app within a mendix app

0
i want to run a mendix app within a mendix app same like iframe but without using an iframe due to security concerns like clickjacking,XSS, session leaks performance/UX issues and other security issues.   so what is the best approach to do this. and ⭐ we dont want to use like expose from one app an rebuild ui in another app and consume. 
asked
1 answers
0

You can host both apps behind the same domain with a reverse proxy (like nginx).

 

Route parts of the URL (/app1/*, /app2/*) through the proxy. Inside App A, you can navigate seamlessly to App B routes, styled to look like the same application. To the user, it feels like “one app,” though technically they’re switching apps.

Pros: Keeps Mendix apps intact, no rebuild.

Cons: Not truly embedded — it’s app switching, not app nesting.

 

Even though you said you don’t want iframe, note that many of the security concerns (clickjacking, XSS, session leaks) can be mitigated with careful configurations:

 

On the App-a you can import the app-b inside iframe as follows:

<iframe   src="https://app-b.example.com"  sandbox="allow-scripts allow-same-origin">
</iframe>

 

Sandbox heavily restricts what the iframe content can do (no top-level navigation, no forms, no popups, no automatic script execution, etc.). You can selectively loosen only what’s needed with flags like allow-scripts, allow-same-origin, allow-forms.

 

This prevents the embedded app from breaking out of its frame or injecting things into the parent DOM → mitigates XSS and clickjacking vectors.

 

For the App-B you can insert CSP header parameter as follows:

Content-Security-Policy: default-src 'self'; frame-ancestors https://app-a.example.com;

This way, only App-A can embed App-B.

Controls what resources App B can load (scripts, fonts, etc.).

Prevents inline scripts and untrusted sources from executing, mitigating XSS.

answered