NGINX X-Frame-Options allow only from single page

Question

I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:

add_header X-Frame-Options "SAMEORIGIN"; on all our pages.

To accomplish what I want to do I tried:

add_header X-Frame-Options https://somewebsite.com;

This ends up allowing iframes as wanted but it allows them from every domain not just from https://somewebsite.com.

How can I deny iframes from all external pages but allow them from one subdomain?

Side info:

both sites run on the same machine.

score 2 · Answer 1 · edited Oct 07 '21 at 07:34

2

The RFC for the X-Frame-Options header states that valid options for the header are:

So, first off you need to add ALLOW-FROM then specify the URI of your subdomain. Something like this:

ALLOW-FROM https://subdomain.example.com/

edited Oct 07 '21 at 07:34

Community

answered Feb 08 '16 at 17:09

heavyd

1 Answers1