I have this in my nginx configuration add_header X-Frame-Options "SAMEORIGIN" always;
And from the client side, I always get "DENY, SAMEORIGIN".
This is not logical, I should get "SAMEORIGIN" only.
I’m sure nginx takes in account my configuration, because if I comment it, and restart the server, from the client side, I only get "DENY".
I can’t find anywhere in the documentation that when you add_header X-Frame-Options "SAMEORIGIN" always; nginx still keeps the "DENY" option… and from here:
There are three possible values for the X-Frame-Options header:
- DENY, which prevents any domain from framing the content. The “DENY” setting is > recommended unless a specific need has been identified for framing.
- SAMEORIGIN, which only allows the current site to frame the content.
- ALLOW-FROM uri, which permits the specified ‘uri’ to frame this page. (e.g., ALLOW-FROM http://www.example.com).
You cant find a value like "DENY, SAMEORIGIN".
What am I missing?