Nothing will unset X-Frame-Options (Apache, PHP 5.3)

Asked 16/10, 2015 at 13:53 Answered 22/4, 2020 at 11:54

I'm trying to implement an embeddable widget, functioning similar to a Twitter embedded tweet. The simplest solution, though maybe not the best, appears to be an iframe or HTML5 embed - but both are being blocked by the X-Frame-Options header on the server.

I'm running PHP 5.3 and Apache 2.2 on a dedicated server under my full control.

I've tried placing on the first line of the very first line of the iframe PHP file:

header_remove("X-Frame-Options");

I've tried adding the following to .htaccess:

Header unset X-Frame-Options

I've checked httpd.conf, the vhost .conf file, even PHP.INI, and searched for "x-frame" - nothing apparently relevant in either.

No mod_security or other plugins that should be injecting this on this server that I see.

Yet curl verifies the following HTTP header no matter what I do:

X-Frame-Options: DENY

Is there some, maybe oddly named setting somewhere that could still be forcing this header in?

Dig answered 16/10, 2015 at 13:53 Comment(6)

Is the PHP code entirely your own, or are you using a framework library of some kind? Could it be that the framework does this as part of it's default behaviour for security reasons? – Coniferous 16/10, 2015 at 14:15

Also, off topic, but please be aware that PHP 5.3 is end-of-life. In fact, even PHP 5.4 is end-of-life now. You should consider upgrading, especially since you have full control over the server. – Coniferous 16/10, 2015 at 14:17

Thanks for the response - the site root is using WordPress, but this code is my own, placed in a stand-alone file outside the CMS for simplicity for now. Also solid advice re: 5.3, just a little nervous to blow my production server up with an upgrade. :) – Dig 16/10, 2015 at 14:54

If the PHP code is stand-alone and you've checked Apache, etc, then I don't know where it's coming from. But have you tried adding a header() line to your PHP code to override it? Probably not the ideal solution, but try it; it might work. – Coniferous 16/10, 2015 at 15:25

Re PHP upgrades -- yeah, always good to be cautious of upgrading a live server. It does have to be done from time to time though; you really can't get away with hiding in the sand. There are well-established processes for managing an upgrade like this (not least of which is make sure everything is backed up first!). But I suggest moving over to SO's sister site ServerFault to discuss that kind of thing in more detail. – Coniferous 16/10, 2015 at 15:28

Appreciated! Alright, I figured it out - the header was being forced in from ssl.conf. Cleared there and can now manage X-Frame-Options using PHP! – Dig 16/10, 2015 at 16:10

X-Frame-Options was forced in by ssl.conf.

Commenting out and restarting Apache allowed .htaccess and PHP header management to work again.

Dig answered 16/10, 2015 at 16:11 Comment(1)

This header may also have been set in /etc/apache2/conf-enabled/ssl-params.conf (Ubuntu 16.04) or security.conf – Hypercorrection 14/9, 2018 at 14:19

Consider the following experiment:

Header always set X-Frame-Options "DENY"
Header unset X-Frame-Options
Header set set X-Frame-Options "TEST"

response headers:

X-Frame-Options "DENY"
X-Frame-Options "TEST"

Second experiment:

Header set X-Frame-Options "DENY"
Header unset X-Frame-Options
Header set set X-Frame-Options "TEST"

response headers:

X-Frame-Options "TEST"

Conclusion: the always option blocks the original value from being unset, however it doesn't block from adding a new value.

Preliminary answered 22/4, 2020 at 11:54 Comment(0)

I had the same problem, and I solved writing this in httpd.conf

Header append X-Frame-Options ALLOWALL

also I had to configured the header module to be loaded, in order to apache to understand this directive. Then you must restart httpd.

Demona answered 26/5, 2016 at 13:53 Comment(2)

You should use Header set since append may duplicate the header - see docs

The response header is added to the existing set of headers, even if this header already exists. This can result in two (or more) headers having the same name. This can lead to unforeseen consequences, and in general set, append or merge should be used instead.

– Alrzc 31/10, 2019 at 9:18

ALLOWALL is not a valid value for the "X-Frame-Options" developer.mozilla.org/en-US/docs/Web/HTTP/Headers/… – Factotum 13/10, 2021 at 9:0

Just in case if you want to modify this in .htaccess this will be the way:

Header always unset X-Frame-Options env=HTTPS;

Luna answered 19/9, 2019 at 16:4 Comment(1)

This works if the website itself forces headers like this. – Mcgovern 1/10, 2021 at 10:39

Recommended topics

Hot tags