X-Frame-Options and security

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: users@xxxxxxxxxxxxxxxx
Subject: X-Frame-Options and security
From: Dave Wreski <dwreski@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 1 Sep 2021 19:29:43 -0400
Organization: Guardian Digital, Inc.
Reply-to: users@xxxxxxxxxxxxxxxx

Hi,

I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT.

The only settings we have are the following:

<IfModule mod_headers.c>
        Header set X-XSS-Protection "1; mode=block"
        Header set X-Frame-Options "SAMEORIGIN"
        Header set X-Content-Type-Options "nosniff"
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
        Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
        Header set Content-Security-Policy "frame-ancestors 'self'"
</IfModule>

No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it?

Other ideas greatly appreciated.

Thanks,
Dave

Follow-Ups:
- Re: X-Frame-Options and security
  - From: Eric Covener

Prev by Date: RE: SSL VHosts [EXT]
Next by Date: Re: X-Frame-Options and security
Previous by thread: HTTP 2.4.47 Question
Next by thread: Re: X-Frame-Options and security
Index(es):
- Date
- Thread

[Index of Archives] [Open SSH Users] [Linux ACPI] [Linux Kernel] [Linux Laptop] [Kernel Newbies] [Security] [Netfilter] [Bugtraq] [Squid] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Samba] [Video 4 Linux] [Device Mapper]