Reputation: 1813
X-Frame-Options in nginx to allow all domains
I'm using nginx as a reverse proxy for my website.
I want to be able to open my website in an iFrame from a chrome extension new tab html file.
For this, I need my nginx to set X-Frame-Options to allow all domains.
According to this answer, all domains is the default state if you don't set X-Frame-Options.
My /etc/nginx/nginx.conf doesn't have the X-Frame-Options set anywhere.
Yet when I check my website response header using Postman, it shows me X-Frame-Options = SAMEORIGIN.
How can I remove this setting and load my website in an iFrame in the chrome new-tab .html file?
Upvotes: 34
Views: 120654
Answers (6)
Reputation: 1045
Add into nginx server blocks here if you have different websites on your server, to control at domain level, no main nginx config changes needed
location ~ \.php$ {
try_files $uri /index.php =404;
fastcgi_buffering on;# important - set as off for WSL dev environment
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/run/php/php8.1-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_read_timeout 60;
include fastcgi_params;
ALLOW IFRAMES
add_header X-Frame-Options "" always;
}
Upvotes: 2
Reputation: 11
maybe you can try adding this in your nginx config
add_header X-Frame-Options "" always;
it works for me
Upvotes: 0
Reputation: 51
I found this header option in the file /etc/nginx/templates/default.conf.
add_header X-Frame-Options "SAMEORIGIN" always;
default.conf file is mentioned in my main nginx.conf file.
Upvotes: 5
Reputation: 3646
Found this header in /etc/nginx/snippets/ssl-params.conf
Just needed to comment out the line:
# add_header X-Frame-Options DENY;
Upvotes: 14
Reputation: 15385
add_header X-Frame-Options ""; did the trick for me in nginx 1.12.
Upvotes: 20
Reputation: 1813
Solved it by changing proxy_hide_header values in /etc/nginx/sites-available/default file like so:
proxy_hide_header X-Frame-Options;
Needed to restart nginx as well as use pm2 to restart my nodejs server (for some reason, it didn't work till I made a small change to my server and restarted it).
Upvotes: 52
Related Questions
- How to set X-Frame-Options Allow-From in nginx correctly
- Apache X-Frame-Options Allow-From multiple domains
- How to set X-Frame Options to ALLOW-FROM https://example.com and SAMEORIGIN on server
- Change the X-Frame-Options to allow all domains
- Nginx - X-Frame-Options errors while using ALLOW-FROM URI: unknown directive / invalid number of arguments in "add_header" directive
- Allow access from one domain with NGINX
- X-FRAME-OPTIONS allow-from a top-level domain, and all subsequent sub-domains
- How to "allow-from" more than one domain for "X-Frame-Options" in Rails 4 controller?
- How to iframe a page from same domain with X-Frame-Options SAMEORIGIN?
- Nginx server edit to allow iframe from any site