...
The allowed_hosts setting accepts an array of URIs that define hosts that can participate in Cross-Origin Resource Sharing (CORS). It also defines which host can embed our application in an <iframe>, <frame>, or <object> tag on a web page. (See https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options for more information.) Host is intentionally singular since the X-Frame-Options header can only contain one entry. The first host in the list will be used as the value for this header.
...