X-Frame-Options: ALLOW-FROM origin

Good evening.

How can I change the X-Frame-Options header?

Changing the X-Frame-Options header involves modifying the server configuration to control how your website can be embedded within frames (such as <iframe> elements). This header is used to prevent clickjacking attacks by specifying whether your site can be embedded in frames on other sites.

Here are the steps to change the X-Frame-Options header depending on your server setup:

For Nginx

  1. Edit Nginx Configuration:

    • Open your Nginx configuration file. This is often located in /etc/nginx/nginx.conf or within the /etc/nginx/sites-available/ directory.
  2. Add or Modify the Header:

    • You can use the add_header directive to set the X-Frame-Options header. For example, to allow your site to be framed only by the same origin:
      server {
          # Other configurations...
      
          add_header X-Frame-Options SAMEORIGIN;
      }
      
    • To deny framing entirely:
      server {
          # Other configurations...
      
          add_header X-Frame-Options DENY;
      }
      
  3. Reload Nginx:

    • After making changes, reload Nginx to apply the new configuration:
      sudo nginx -s reload
      

For Apache

  1. Edit Apache Configuration:

    • Open your Apache configuration file, typically found in /etc/httpd/conf/httpd.conf or within virtual host configuration files in /etc/httpd/conf.d/ or /etc/apache2/sites-available/.
  2. Add or Modify the Header:

    • Use the Header directive within a <VirtualHost> block or in the main configuration:
      <VirtualHost *:80>
          # Other configurations...
      
          Header set X-Frame-Options "SAMEORIGIN"
      </VirtualHost>
      
    • For denying framing:
      <VirtualHost *:80>
          # Other configurations...
      
          Header set X-Frame-Options "DENY"
      </VirtualHost>
      
  3. Restart Apache:

    • Restart Apache to apply the changes:
      sudo systemctl restart apache2  # On Debian/Ubuntu
      sudo systemctl restart httpd    # On CentOS/RHEL
      

Using .htaccess (For Apache)

If you don’t have access to the main Apache configuration, you can modify the .htaccess file in your website’s root directory:

# Add this line to your .htaccess file
Header set X-Frame-Options "SAMEORIGIN"

Or to deny:

# Add this line to your .htaccess file
Header set X-Frame-Options "DENY"

Considerations

  • SAMEORIGIN: Allows the page to be framed only by pages from the same origin.
  • DENY: Prevents the page from being framed by any other site.
  • ALLOW-FROM uri: (Deprecated and not widely supported) Allows the page to be framed by a specific URI.

Modern Alternatives

  • Content Security Policy (CSP): Consider using the frame-ancestors directive in your CSP header as a more flexible alternative to X-Frame-Options. For example:
    Content-Security-Policy: frame-ancestors 'self';
    

Make sure to test your changes thoroughly to ensure they are applied correctly and do not negatively impact your site’s functionality.

He is asking about the panel so at least your solution doesn’t work …