X-Frame-Options: ALLOW-FROM origin

Community Support Web
1

Good evening.

How can I change the X-Frame-Options header?

image
image577×419 37.8 KB

2

Changing the X-Frame-Options header involves modifying the server configuration to control how your website can be embedded within frames (such as <iframe> elements). This header is used to prevent clickjacking attacks by specifying whether your site can be embedded in frames on other sites.

Here are the steps to change the X-Frame-Options header depending on your server setup:

For Nginx

  1. Edit Nginx Configuration:

    • Open your Nginx configuration file. This is often located in /etc/nginx/nginx.conf or within the /etc/nginx/sites-available/ directory.

  2. Add or Modify the Header:

    • You can use the add_header directive to set the X-Frame-Options header. For example, to allow your site to be framed only by the same origin:
      server {
    # Other configurations...

    add_header X-Frame-Options SAMEORIGIN;
}
    • To deny framing entirely:
      server {
    # Other configurations...

    add_header X-Frame-Options DENY;
}

  3. Reload Nginx:

    • After making changes, reload Nginx to apply the new configuration:
      sudo nginx -s reload

For Apache

  1. Edit Apache Configuration:

    • Open your Apache configuration file, typically found in /etc/httpd/conf/httpd.conf or within virtual host configuration files in /etc/httpd/conf.d/ or /etc/apache2/sites-available/.

  2. Add or Modify the Header:

    • Use the Header directive within a <VirtualHost> block or in the main configuration:
      <VirtualHost *:80>
    # Other configurations...

    Header set X-Frame-Options "SAMEORIGIN"
</VirtualHost>
    • For denying framing:
      <VirtualHost *:80>
    # Other configurations...

    Header set X-Frame-Options "DENY"
</VirtualHost>

  3. Restart Apache:

    • Restart Apache to apply the changes:
      sudo systemctl restart apache2  # On Debian/Ubuntu
sudo systemctl restart httpd    # On CentOS/RHEL

Using .htaccess (For Apache)

If you don’t have access to the main Apache configuration, you can modify the .htaccess file in your website’s root directory:

# Add this line to your .htaccess file
Header set X-Frame-Options "SAMEORIGIN"

Or to deny:

# Add this line to your .htaccess file
Header set X-Frame-Options "DENY"

Considerations

  • SAMEORIGIN: Allows the page to be framed only by pages from the same origin.
  • DENY: Prevents the page from being framed by any other site.
  • ALLOW-FROM uri: (Deprecated and not widely supported) Allows the page to be framed by a specific URI.

Modern Alternatives

  • Content Security Policy (CSP): Consider using the frame-ancestors directive in your CSP header as a more flexible alternative to X-Frame-Options. For example:
    Content-Security-Policy: frame-ancestors 'self';

Make sure to test your changes thoroughly to ensure they are applied correctly and do not negatively impact your site’s functionality.

1 Like
3

He is asking about the panel so at least your solution doesn’t work …

1 Like