X-Frame-Options in nginx to allow all domains

Question

I'm using nginx as a reverse proxy for my website.

I want to be able to open my website in an iFrame from a chrome extension new tab html file.

For this, I need my nginx to set X-Frame-Options to allow all domains.

According to this answer, all domains is the default state if you don't set X-Frame-Options.

My /etc/nginx/nginx.conf doesn't have the X-Frame-Options set anywhere.

Yet when I check my website response header using Postman, it shows me X-Frame-Options = SAMEORIGIN.

How can I remove this setting and load my website in an iFrame in the chrome new-tab .html file?

score 48 · Accepted Answer · answered Nov 21 '17 at 06:01

48

Solved it by changing proxy_hide_header values in /etc/nginx/sites-available/default file like so:

proxy_hide_header X-Frame-Options;

Needed to restart nginx as well as use pm2 to restart my nodejs server (for some reason, it didn't work till I made a small change to my server and restarted it).

answered Nov 21 '17 at 06:01

Mallika Khullar

1,725
3
22
37

1

Wish this was better documented though. – Mallika Khullar Nov 21 '17 at 06:03
I did that though not in default in the app-specific conf file and it didn't work. I have Cloudflare in front of the server, does that overwrite the header in anyway? – Ashit Vora May 01 '18 at 06:24

Jonathan · Answer 2 · 2018-11-20T03:57:29.650

18

add_header X-Frame-Options ""; did the trick for me in nginx 1.12.

edited Nov 20 '18 at 03:57

answered Nov 20 '18 at 02:48

Jonathan

13,947
17
94
123

score 9 · Answer 3 · answered Jul 19 '21 at 06:30

9

Found this header in /etc/nginx/snippets/ssl-params.conf

Just needed to comment out the line:

# add_header X-Frame-Options DENY;

answered Jul 19 '21 at 06:30

Stalinko

3,319
28
31

1

I have nginx 1.18 configured w/ SSL and this did the trick for me. I was getting irritated at all the other answers. – Vincent La Oct 16 '22 at 22:56

score 3 · Answer 4 · answered Sep 15 '21 at 18:58

3

I found this header option in the file /etc/nginx/templates/default.conf.

add_header  X-Frame-Options "SAMEORIGIN" always;

default.conf file is mentioned in my main nginx.conf file.

answered Sep 15 '21 at 18:58

p.t3

31
1

1

As it’s currently written, your answer is unclear. Please [edit] to add additional details that will help others understand how this addresses the question asked. You can find more information on how to write good answers [in the help center](/help/how-to-ask). – Community Sep 15 '21 at 21:45
I have added in /etc/nginx/sites-available/app file (ubuntu 18.04). It works. Thanks buddy – Ramesh Ponnusamy Jun 03 '22 at 12:13

score 0 · Answer 5 · answered Nov 27 '22 at 16:40

0

maybe you can try adding this in your nginx config

add_header X-Frame-Options "" always;

it works for me

answered Nov 27 '22 at 16:40

Azam Rizki Maulana

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Dec 01 '22 at 16:05

X-Frame-Options in nginx to allow all domains

5 Answers5