Security and protection of H5P-embedded content


is there a way to protect h5p-content created with the h5p wordpress plugin when embedded into different sites?

I just found that since the embed-code reveals the ID of the h5p-content, it is very easy to "guess" other h5p-content and load it instead.

It would be great someone could give me a hint on the following questions:

1. Is it possible to disable the embed-feature of the wordpress-plugin for a whole wordpress-page, so there is absolutely no embedding possible?

2. Is it possible or planned to add protection features for h5p-content to make content only embedable on certain pages?

Thank you in advance and kind regards


Content types: 
icc's picture


1. Yes, on the H5P settings page, if you disable the Embed button all links should stop working.

2. We have thought about adding a setting for X-Frame-Options or Content-Security-Policy but it hasn't been highly requested. I guess that most who require this have already set/forced these options in the web server configuration.