NGINX X-Frame-Options allow only from single page
24,724
The RFC for the X-Frame-Options header states that valid options for the header are:
DENYSAMEORIGINALLOW-FROM <uri>
So, first off you need to add ALLOW-FROM then specify the URI of your subdomain. Something like this:
ALLOW-FROM https://subdomain.example.com/
Related videos on Youtube
01 : 33
NGINX X-Frame-Options allow only from single page
12 : 18
What is the X-Frame-Options Header?
06 : 50
Introduction and Explanation of X-Frame-Options
10 : 06
Using headers to help secure a site on an nginx server.
05 : 34
X-FRAME-OPTIONS - HTTP Headers - Prevent Click Jacking
03 : 21
Part 7 - How to change Nginx index page?
Author by
Flatron
Updated on September 18, 2022Comments
-
Flatron almost 2 years
I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:
add_header X-Frame-Options "SAMEORIGIN";on all our pages.To accomplish what I want to do I tried:
add_header X-Frame-Options https://somewebsite.com;This ends up allowing iframes as wanted but it allows them from every domain not just from
https://somewebsite.com.How can I deny iframes from all external pages but allow them from one subdomain?
Side info:
both sites run on the same machine.
-
Flatron over 8 yearsI added
add_header X-Frame-Options "ALLOW-FROM https://sub.example.com";to my vHost configuration file. This ends in the same behaviour as before --> iframing is allowed from any domain. Does the used Browser have an effect on this. I am using Google Chrome (48.0.2564.103) -
heavyd over 8 yearsSee the table at the bottom of this page. Apparently Chrome does not support
ALLOW-FROM. -
BDN about 4 yearsHow can I enable multiple URI only?
