1

I have a multimedia site contains thousands of videos. I had to prevent "clickjacking" due to some problems I occured.

The thing is when I include the following header to my httpd.config file, users cannot share my videos through social networks or applications.

Header always append X-Frame-Options SAMEORIGIN

I host the embed videos through https://example.org/embed/VIDEO-ID

Is it possible to disable X-Frame-Options SAMEORIGIN just for embed videos? If so, could you please explain it to me?

What I have tried so far;

  • I tried to remove header in /embed/ with PHP
  • I tried to unset the header in /embed/

On httpd I've done the following;

header always append X-Frame-Options SAMEORIGIN

On /embed/ page I am doing the following;

header_remove("X-Frame-Options");
header('X-Frame-Options: GOFORIT');
Lunatic Fnatic
  • 661
  • 2
  • 6
  • 17
  • Show us how you are appending that header and how you tried removing it. – apokryfos Mar 11 '17 at 07:59
  • @apokryfos I have updated the content about how I append and remove, thanks :) – Lunatic Fnatic Mar 11 '17 at 10:37
  • I doubt that you can remove a header you've set via httpd in PHP. It depends when it's set. If it's set after PHP is ran then it doesn't make a difference. I think you should consider adding headers in an .htaccess and making an exception if the link is embed. Syntax should be similar to the httpd. – apokryfos Mar 11 '17 at 19:17

0 Answers0