On Thu, Sep 9, 2021 at 7:57 PM Dave Wreski
<dwreski@xxxxxxxxxxxxxxxxxxx.invalid> wrote:
>
> Hi, revisiting a post from last week regarding X-Frame-Options and security settings. I performed a security scan of https://linuxsecurity.com using immuniweb (https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/) and it showed we were setting GOFORIT and SAMEORIGIN. I'm unable to determine where GOFORIT is being set, as we're not doing it manually, and I can't locate it within an htaccess or in the virtual host config.
>
> I also used geekflare (https://gf.dev/x-frame-options-test) and it also reported that we were using both GOFORIT and SAMEORIGIN values.
>
> I used lynx to dump the headers and it only displays SAMEORIGIN, as it should.
>
> Where else can I look to see where this option is being set?
Find your in use LogFormat and add %{X-Frame-Options}o . Then run one
of those failing tests, uncached.
If it's not logged with "GOFORIT" it's not coming from Apache or
anything behind it.
AFAICT Google says "GOFORIT" is a hack to "break" an X-Frame-Options
when you don't have access to change it.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|