On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski <dwreski@xxxxxxxxxxxxxxxxxxx.invalid> wrote: > > Hi, > > I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT. > > The only settings we have are the following: > > <IfModule mod_headers.c> > Header set X-XSS-Protection "1; mode=block" > Header set X-Frame-Options "SAMEORIGIN" > Header set X-Content-Type-Options "nosniff" > Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" > Header set Feature-Policy "geolocation 'self'; vibrate 'none'" > Header set Content-Security-Policy "frame-ancestors 'self'" > </IfModule> > > No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it? No. I'd veifry with a command-line client and see if it happens even for static files. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|