How to set X-Frame-Options Allow-From in nginx correctly

Some older browser do not support Content Security Policy so the correct syntax is

add_header X-Frame-Options "ALLOW-FROM domain.com";

and the new version of browsers support Content Security Policy

add_header Content-Security-Policy "frame-ancestors domain.com";

You should use both the headers so as to ensure support in all the browser

To know more browser support for X-Frame-Options and Content Security Policy(CSP browser support data is outdated as written on 12/19/2017. Currently all major browser support CSP): https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet

in Chrome and Safari you need to use Content-Security-Policy

Content-Security-Policy: frame-ancestors domain.com

You can check more details on this site:

https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives

How to set X-Frame-Options Allow-From in nginx correctly

Tags:

Nginx

Cross Domain

X Frame Options

Content Security Policy

Related

Recent Posts