Re: X-Frame-Options and security

Konstantin Kolinko <knst.kolinko@xxxxxxxxx> · Fri, 10 Sep 2021 12:15:37 +0300

чт, 2 сент. 2021 г. в 18:18, Dave Wreski <dwreski@xxxxxxxxxxxxxxxxxxx.invalid>:
>
> <IfModule mod_headers.c>
>         Header set X-XSS-Protection "1; mode=block"
>         Header set X-Frame-Options "SAMEORIGIN"

https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header

What headers are returned by error pages and by redirects (e.g. 302
redirect when requesting a directory without a trailing '/')?
What headers are returned by  dynamic responses (proxied or CGI), if
you have any?

Maybe like this, adapting an example from the docs:

Header onsuccess unset X-Frame-Options
Header always set X-Frame-Options "SAMEORIGIN"

>         Header set X-Content-Type-Options "nosniff"
>         Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
>         Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
>         Header set Content-Security-Policy "frame-ancestors 'self'"
> </IfModule>
>

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx