Hi, revisiting a post from last week regarding X-Frame-Options and security settings. I performed a security scan of https://linuxsecurity.com using immuniweb (https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/) and it showed we were setting GOFORIT and SAMEORIGIN. I'm unable to determine where GOFORIT is being set, as we're not doing it manually, and I can't locate it within an htaccess or in the virtual host config.
I also used geekflare (https://gf.dev/x-frame-options-test) and
it also reported that we were using both GOFORIT and SAMEORIGIN
values.
I used lynx to dump the headers and it only displays SAMEORIGIN, as it should.
Where else can I look to see where this option is being set?
Thanks,
Dave
On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski <dwreski@xxxxxxxxxxxxxxxxxxx.invalid> wrote:Hi, I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test) on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but it also returned GOFORIT. The only settings we have are the following: <IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "SAMEORIGIN" Header set X-Content-Type-Options "nosniff" Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header set Feature-Policy "geolocation 'self'; vibrate 'none'" Header set Content-Security-Policy "frame-ancestors 'self'" </IfModule> No where are we setting GOFORIT. Is it somehow the default and necessary to explicitly disable it?No. I'd veifry with a command-line client and see if it happens even for static files. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|