Question

Blocking iframe because it set 'X-Frame-Options' to 'DENY'.

Posted March 25, 2017 92.4k views
Nginx PHP Ubuntu 16.04

I uploaded a project on the php server in my droplet which has both node and php server block on nginx. But when i opened it in the browser it isnt working because it works with i frames and in the console i see

Refused to display ‘myiframe’ in a frame because it set 'X-Frame-Options’ to 'DENY’.

And also Uncaught SecurityError: Failed to read the 'contentDocument’ property from 'HTMLIFrameElement’: Sandbox access violation: Blocked a frame at “https://www.mydomain.com” from accessing a frame at “null”. The frame being accessed is sandboxed and lacks the “allow-same-origin” flag.

What’s the most secure way to deal with those headers on nginx and php?

Add a comment
tamburrinipietro89
By:
tamburrinipietro89
Add a comment

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

3 answers
hansen March 25, 2017

@tamburrinipietro89
Change it from DENY to SAMEORIGIN. That keeps a lot of the security, while it should make your app work.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options

Reply Report
  • tamburrinipietro89 March 25, 2017

    Thanks a lot but i didnt set it to deny i checked my site enabled file and its not there. Where should i look to find where these headers are set? Im sure they re not set in my php files

    Reply Report
    • hansen March 25, 2017

      @tamburrinipietro89
      Can you run the following two commands (expecting your web folder is located somewhere beneath /var/www)

      grep -ri "X-Frame-Options" /etc/nginx

grep -ri "X-Frame-Options" /var/www

      Does any of these hint to a file? If yes, then the header is set in that file.
      By default, the X-Frame-Options header is not set, so it must be activated somewhere (maybe even an add-on in your browser to enhance security)

      Reply Report
      • nouredin October 31, 2018

        Thanks @hansen you almost saved my life :D
        I ran this command:

        grep -ri "X-Frame-Options" /etc/apache2

        and it turned out that the header was set in this file: /etc/apache2/conf-available/ssl-params.conf
        I just had to comment it.

        Reply Report
gopalsharma August 2, 2019

I got this error on my Moodle site after installing the self-signed SSL certificate on my ubuntu 18.04 and 16.04 with apache2 web server installed on it.
First, go to this location on your ubuntu server /etc/apache2/conf-available
and open the file ssl-params.conf , which you must have created for installing an SSL certificate.
Make this Change in the file from DENY to SMAEORIGIN
Header always set X-Frame-Options SAMEORIGIN
This worked for me.

Reply Report
devsharma871 October 14, 2019

I followed the same and changed in the ssl-params.conf but nothing seems to be changed.

Reply Report
Submit an Answer

Related

Looking for something else?

Ask a new question Search for more help