add_header X-Frame-Options DENY; in nginx conf is not working, i can still see the iframe in our application

Question

add_header X-Frame-Options DENY; seems not working for us.

we are intended to display one of our hosted page as an iframe for PCI related issues, and we are succeded in that but to avoid clickjacking, we were recommended to use x-frame-options DENY but we can't do that since we want our users to use the frame we developed, so the solution might be using x-frame-options ALLOW FROM uri.

we are trying add_header X-Frame-Options DENY; to see if our application is restricting the iframe in the first place but the iframe is still visible. we verified several times if the add header might be in wrong place in the nginx conf, but it is not.

P.S. the below image is for ref but we can still see the angular application rendering the frame succesfully :(

Answer 1

Add below code under location block in nginx.conf

add_header X-Frame-Options "DENY" always;

Example

 location / {
        expires -1;
        add_header Pragma "no-cache";
        add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0, post-check=0, pre-check=0';
        add_header X-Frame-Options "DENY" always;
        root  <root directory>;
        index  index.html index.htm;
        try_files $uri $uri/ /index.html?$args;
   }

Answer 2

Lets say your hosted page is in URI1 and your hosting page is in URI2

What's the response headers when you send a GET request to get URI1 directly?

I think that you add the 'x-frame-option' to the response for URI2 instead of URI1

Answer 3

You're probably using an old browser because it works in Chrome 68. You can inspect the Javascript error and the HTTP headers with F12.

<iframe src="https://www.facebook.com"></iframe>