I want to use this rule:
<IfModule mod_headers.c>
Header always set X-FRAME-OPTIONS "DENY"
</IfModule>
But only for the front pages of my website.
I.e. I have a backoffice : example.com/gestion for which I don't want the rule to apply and I want to have the rule applied only for example.com (so all URLs without gestion)
Any idea ?
Try something like this using an Apache <If> expression to match all URLs, except for any URL that starts /gestion or contains multiple path segments or contains dots (ie. actual files).
For example:
<If "%{REQUEST_URI} =~ m#^/(?!gestion)[\w-]*$#">
Header always set X-FRAME-OPTIONS "DENY"
</If>
This uses a negative lookahead to avoid matching any URL that starts /gestion.
I'm assuming that your "front page" URLs only consist of single path segments containing characters in the range [0-9a-zA-Z_-].
The <IfModule> wrapper is not required (unless this is optional and you are using the same config on multiple server's where mod_headers may not be enabled - unlikely).
I am using dispatcher-cnfig for http to https redirect for my AEM site. But I don't see "Content security policy" coming on the 301 redirect. And it comes fine from the next 200 call on-wards where the site is now on 'https'.
Any suggestion to get the Content-security-policy called on 301-redirect call as well?
Thanks in advance.
I was able to get the content-security-policy working on 301 redirect.
Earlier the content-security Header was under <Directory />and I moved it under <IfModule mod_headers.c> . This worked for me.
I am using apache 2.2. I have to set header for home page url only. e.g If url is https://www.example.com then I need to set header for this URL only. Could you please help me on this?
I have tried below things but no luck.
If condition used but not working for this version.
RewriteCond %{REQUEST_URI} /
Header set ABC "abc"
Here, Header is setting for all URLs in the application
I am trying to allow some particular domain to access my site via iframe
Header set X-Frame-Options ALLOW-FROM https://www.example.com
I know this could be done by add the line above to the config of Apache server.
Two questions here.
which config file should be added to? The Apache running on both Unix and windows, if not the same file
while enable the all-from, I still want to be able to run some iframe from my own domain. Can I just add the following line after the allow-from?
Header set X-Frame-Options SAMEORIGIN
Or I should just add my own domain in the all-from, ie
Header set X-Frame-Options ALLOW-FROM https://www.example.com, http://www.my-own-domain.example
You can add to .htaccess, httpd.conf or VirtualHost section
Header set X-Frame-Options SAMEORIGIN this is the best option
Allow from URI is not supported by all browsers. Reference: X-Frame-Options on MDN
See X-Frame-Options header on error response
You can simply add following line to .htaccess
Header always unset X-Frame-Options
What did it for me was the following, I've added the following directive in both the HTTP <VirtualHost *:80> and HTTPS <VirtualHost *:443> virtual host blocks:
ServerName example.com
ServerAlias www.example.com
Header always unset X-Frame-Options
Header set X-Frame-Options "SAMEORIGIN"
The reasoning behind this? Well by default if set, the server does not reset the X-Frame-Options header so we need to first always remove the default value, in my case it was DENY, and then with the next rule we set it to the desired value, in my case SAMEORIGIN. Of course you can use the Header set X-Frame-Options ALLOW-FROM ... rule as well.
This worked for me on all browsers:
Created one page with all my javascript
Created a 2nd page on the same server and embedded the first page using the object tag.
On my third party site I used the Object tag to embed the 2nd page.
Created a .htaccess file on the original server in the public_html folder and put Header unset X-Frame-Options in it.
I found that if the application within the httpd server has a rule like "if the X-Frame-Options header exists and has a value, leave it alone; otherwise add the header X-Frame-Options: SAMEORIGIN" then an httpd.conf mod_headers rule like "Header always unset X-Frame-Options" would not suffice. The SAMEORIGIN value would always reach the client.
To remedy this, I add two, not one, mod_headers rules (in the outermost httpd.conf file):
Header set X-Frame-Options ALLOW-FROM http://example.com early
Header unset X-Frame-Options
The first rule tells any internal request handler that some other agent has taken responsibility for clickjack prevention and it can skip its attempt to save the world. It runs with "early" processing. The second rule strips off the entirely unwanted X-Frame-Options header. It runs with "late" processing.
I also add the appropriate Content-Security-Policy headers so that the world remains protected yet multi-sourced JavaScript from trusted sites still gets to run.
you have to enable mod_headers first in your server
sudo a2enmod headers
sudo service apache2 restart
I try to put a X-FRAME-OPTIONS to the http header to prevent the Clickjacking attack.
If I set the header in the httpd.conf or .htaccess file like this, it works.
Header set X-Frame-Options SAMEORIGIN
But there are several places that using the iFrame on my own website, if I do this, it will also block the iFrame on my own website. So I try to add a exception for my own website. Check if the request is from my own website, then allow the iFrame on the page. I tried this, but it didn't work.
SetEnvIf Host http://myownwebsite\.com iframes_are_cool
Header set X-Frame-Options SAMEORIGIN env=!iframes_are_cool
Could someone help me with this?
SetEnvIf is not as flexible so I recommend to use simply the // sections. Give the below a try:
<If "! %{HOST} =~ /http://myownwebsite\.com/">
Header set X-Frame-Options SAMEORIGIN
</If>