Blocking iframe because it set 'X-Frame-Options' to 'DENY'.

March 25, 2017 71.7k views
Nginx PHP Ubuntu 16.04

I uploaded a project on the php server in my droplet which has both node and php server block on nginx. But when i opened it in the browser it isnt working because it works with i frames and in the console i see

Refused to display 'myiframe' in a frame because it set 'X-Frame-Options' to 'DENY'.

And also Uncaught SecurityError: Failed to read the 'contentDocument' property from 'HTMLIFrameElement': Sandbox access violation: Blocked a frame at "" from accessing a frame at "null". The frame being accessed is sandboxed and lacks the "allow-same-origin" flag.

What's the most secure way to deal with those headers on nginx and php?

2 Answers

Change it from DENY to SAMEORIGIN. That keeps a lot of the security, while it should make your app work.

  • Thanks a lot but i didnt set it to deny i checked my site enabled file and its not there. Where should i look to find where these headers are set? Im sure they re not set in my php files

    • @tamburrinipietro89
      Can you run the following two commands (expecting your web folder is located somewhere beneath /var/www)

      grep -ri "X-Frame-Options" /etc/nginx
      grep -ri "X-Frame-Options" /var/www

      Does any of these hint to a file? If yes, then the header is set in that file.
      By default, the X-Frame-Options header is not set, so it must be activated somewhere (maybe even an add-on in your browser to enhance security)

      • Thanks @hansen you almost saved my life :D
        I ran this command:

        grep -ri "X-Frame-Options" /etc/apache2

        and it turned out that the header was set in this file: /etc/apache2/conf-available/ssl-params.conf
        I just had to comment it.

I got this error on my Moodle site after installing the self-signed SSL certificate on my ubuntu 18.04 and 16.04 with apache2 web server installed on it.
First, go to this location on your ubuntu server /etc/apache2/conf-available
and open the file ssl-params.conf , which you must have created for installing an SSL certificate.
Make this Change in the file from DENY to SMAEORIGIN
Header always set X-Frame-Options SAMEORIGIN
This worked for me.

Have another answer? Share your knowledge.