X-Frame-Options on apache

Question

I am trying to allow some particular domain to access my site via iframe   Header set X-Frame-Options ALLOW-FROM https   www that-site com   I know this could be done by add the line above to the config of Apache server   Two questions here   1  which config file should be added to  The apache running on both Unix and windows  if not the same file  2  while enable the all-from  I still want to be able to run some iframe from my own domain  Can I just add the following line after the allow-from     Header set X-Frame-Options SAMEORIGIN   Or I should just add my own domain in the all-from  ie    Header set X-Frame-Options ALLOW-FROM https   www that-site com  http   www my-own-domain com   Really need to get this solved out  Thanks in advance

User · Answer

You can add to  htaccess  httpd conf or VirtualHost section Header set X-Frame-Options SAMEORIGIN this is the best option   Allow from URI is not supported by all browsers  Reference  X-Frame-Options on MDN

User · Answer

I found that if the application within the httpd server has a rule like  if the X-Frame-Options header exists and has a value  leave it alone  otherwise add the header X-Frame-Options  SAMEORIGIN  then an httpd conf mod headers rule like  Header always unset X-Frame-Options  would not suffice  The SAMEORIGIN value would always reach the client   To remedy this  I add two  not one  mod headers rules  in the outermost httpd conf file    Header set X-Frame-Options ALLOW-FROM http   to be deleted com early Header unset X-Frame-Options   The first rule tells any internal request handler that some other agent has taken responsibility for clickjack prevention and it can skip its attempt to save the world  It runs with  early  processing  The second rule strips off the entirely unwanted X-Frame-Options header  It runs with  late  processing   I also add the appropriate Content-Security-Policy headers so that the world remains protected yet multi-sourced Javascript from trusted sites still gets to run

User · Answer

This worked for me on all browsers    Created one page with all my javascript Created a 2nd page on the same server and embedded the first page using the object tag  On my third party site I used the Object tag to embed the 2nd page  Created a  htaccess file on the original server in the public html folder and put Header unset X-Frame-Options in it

User · Answer

What did it for me was the following  I ve added the following directive in both the http  lt VirtualHost   80 gt  and https  lt VirtualHost   443 gt  virtual host blocks   ServerName your-app com ServerAlias www your-app com  Header always unset X-Frame-Options Header set X-Frame-Options  SAMEORIGIN    The reasoning behind this  Well by default if set  the server does not reset the X-Frame-Options header so we need to first always remove the default value  in my case it was DENY  and then with the next rule we set it to the desired value  in my case SAMEORIGIN  Of course you can use the Header set X-Frame-Options ALLOW-FROM     rule as well

User · Answer

See X-Frame-Options header on error response  You can simply add following line to  htaccess  Header always unset X-Frame-Options

[apache] X-Frame-Options on apache

Examples related to apache

Examples related to cross-browser

Examples related to x-frame-options

Examples related to clickjacking