Reputation: 11
Apache X-Frame-Options SAMEORIGIN is always appended
I'm running the same django project on two Ubuntu 14.04.3 LTS webservers (one "real" and one VM). Because this project has to run in an iframe at another website, I had to change to X-Frame-Options.
At my VM I only had to change the security.conf and insert
Header set X-Frame-Options: "ALLOW-FROM https://example.org"
This is the part in the HTML header:
X-Frame-Options ALLOW-FROM https://example.org
At the real server I tried to have the same configuration. But the HTML header looks that way: X-Frame-Options SAMEORIGIN ALLOW-FROM https://example.org
And I don't have any idea, where this SAMEORIGIN is set. Do you know, where I have to look for this option? If looked through all confs in the directory (and subdirectories)/etc/apache2, but found nothing.
Thanks!
Upvotes: 1
Views: 1297
Answers (1)
Reputation: 32522
If you're using Django, it's possible that you have the Clickjacking middleware installed. Look for this in your settings.py.
MIDDLEWARE_CLASSES = [
...
'django.middleware.clickjacking.XFrameOptionsMiddleware',
...
]
This would be sent back from your app server to Apache, and Apache would send it to the browser as a pass-through HTTP header.
Upvotes: 1
Related Questions
- Overcoming "Display forbidden by X-Frame-Options"
- How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server
- X-Frame-Options: ALLOW-FROM in firefox and chrome
- X-Frame-Options on Apache
- X-Frame-Options Header Not Set: How do I set it please?
- What happens if both X-Frame-options SAMEORIGIN and DENY is passed in response header?
- X-Frame-Options: .htaccess vs httpd.conf