X-Frame-Options in nginx to allow all domains

A

6

33

I'm using nginx as a reverse proxy for my website.

I want to be able to open my website in an iFrame from a chrome extension new tab html file.

For this, I need my nginx to set X-Frame-Options to allow all domains.

According to this answer, all domains is the default state if you don't set X-Frame-Options.

My /etc/nginx/nginx.conf doesn't have the X-Frame-Options set anywhere.

Yet when I check my website response header using Postman, it shows me X-Frame-Options = SAMEORIGIN.

How can I remove this setting and load my website in an iFrame in the chrome new-tab .html file?

Aware answered 21/11, 2017 at 5:6 Comment(0)

A

51

Solved it by changing proxy_hide_header values in /etc/nginx/sites-available/default file like so:

proxy_hide_header X-Frame-Options;

Needed to restart nginx as well as use pm2 to restart my nodejs server (for some reason, it didn't work till I made a small change to my server and restarted it).

Aware answered 21/11, 2017 at 6:1 Comment(2)

Wish this was better documented though. – Aware 21/11, 2017 at 6:3

I did that though not in default in the app-specific conf file and it didn't work. I have Cloudflare in front of the server, does that overwrite the header in anyway? – Wearing 1/5, 2018 at 6:24

D

20

add_header X-Frame-Options ""; did the trick for me in nginx 1.12.

Donnadonnamarie answered 20/11, 2018 at 2:48 Comment(0)

M

12

Found this header in /etc/nginx/snippets/ssl-params.conf

Just needed to comment out the line:

# add_header X-Frame-Options DENY;

Mele answered 19/7, 2021 at 6:30 Comment(1)

I have nginx 1.18 configured w/ SSL and this did the trick for me. I was getting irritated at all the other answers. – Mayamayakovski 16/10, 2022 at 22:56

P

4

I found this header option in the file /etc/nginx/templates/default.conf.

add_header  X-Frame-Options "SAMEORIGIN" always;

default.conf file is mentioned in my main nginx.conf file.

Pyromancy answered 15/9, 2021 at 18:58 Comment(2)

As it’s currently written, your answer is unclear. Please edit to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers in the help center. – Bashan 15/9, 2021 at 21:45

I have added in /etc/nginx/sites-available/app file (ubuntu 18.04). It works. Thanks buddy – Selfrighteous 3/6, 2022 at 12:13

L

2

Add into nginx server blocks here if you have different websites on your server, to control at domain level, no main nginx config changes needed

    location ~ \.php$ {
            try_files $uri /index.php =404;
            fastcgi_buffering on;# important - set as off for WSL dev environment
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_pass unix:/run/php/php8.1-fpm.sock;
            fastcgi_index index.php;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_read_timeout 60;
            include fastcgi_params;

ALLOW IFRAMES

            add_header X-Frame-Options "" always;

    }

Lamoreaux answered 15/9, 2023 at 19:20 Comment(0)

S

0

maybe you can try adding this in your nginx config

add_header X-Frame-Options "" always;

it works for me

Suilmann answered 27/11, 2022 at 16:40 Comment(1)

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center. – Bashan 1/12, 2022 at 16:5

ALLOW IFRAMES

Recommended topics

Hot tags