X-Frame-Options: Nginx includes header twice

I’m running Nginx 1.4.4 on Ubuntu 12.04 and have added the
X-Frame-Options header for one of my sites but in testing it appears
that Nginx includes this itself in addition to user configured headers.
Basically I want X-Frame-Options to be DENY but when I set that header
Nginx also sends an X-Frame-Options SAMEORIGIN header so that there are
two X-Frame-Options headers in every request.

Is there some way to disable the extra header? I can’t find anything in
my configuration that would add the second header.

— Original message —
From: “Some D.” [email protected]
Date: 25 January 2014, 06:04:10

I’m running Nginx 1.4.4 on Ubuntu 12.04 and have added the X-Frame-Options
header for one of my sites but in testing it appears that Nginx includes this
itself in addition to user configured headers. Basically I want X-Frame-Options to
be DENY but when I set that header Nginx also sends an X-Frame-Options SAMEORIGIN
header so that there are two X-Frame-Options headers in every request.

Is there some way to disable the extra header? I can’t find anything in my
configuration that would add the second header.

May by this is the header, has been set by your php-application?
You can remove this with help of module
http://wiki.nginx.org/HttpHeadersMoreModule

On 25/01/2014 07:51, wishmaster wrote:

— Original message —
From: “Some D.” [email protected]
Date: 25 January 2014, 06:04:10

I’m running Nginx 1.4.4 on Ubuntu 12.04 and have added the X-Frame-Options
header for one of my sites but in testing it appears that Nginx includes this
itself in addition to user configured headers. Basically I want X-Frame-Options to
be DENY but when I set that header Nginx also sends an X-Frame-Options SAMEORIGIN
header so that there are two X-Frame-Options headers in every request.

Is there some way to disable the extra header? I can’t find anything in my
configuration that would add the second header.
May by this is the header, has been set by your php-application?
You can remove this with help of module
http://wiki.nginx.org/HttpHeadersMoreModule

I don’t actually use PHP but your response lead me to an answer.
Apparently Django sets some headers so it looks like I need to disable
it there. Thanks!

Seems a bit strange to me that an application framework sets HTTP
headers. Surely this should be left to the HTTP server? What are other
peoples opinions on this?

On 27 January 2014 02:49, Some D. [email protected]
wrote:

Seems a bit strange to me that an application framework sets HTTP headers.
Surely this should be left to the HTTP server? What are other peoples
opinions on this?

There are many instances where the application is the most
knowledgable layer regarding which HTTP headers to send: think
caching; think keep-alive. In general, the absolute /least/ you can do
in the reverse-proxy layer, the better. IMHO.

J

On 27/01/2014 09:50, Jonathan M. wrote:

Fair enough. It would be somewhat easier to manage if all headers were
implemented in one place or the other. If I could set arbitary headers
in Django then I could do it all there but at the moment I have some
headers set in my Nginx configuration and some headers that appear to be
set in Django and that just makes it confusing.

On 28 January 2014 11:04, Some D. [email protected]
wrote:

If I could set arbitary headers in
Django then I could do it all there

I know nothing about Django, but this would seem to be what you’re
asking for:
https://docs.djangoproject.com/en/1.6/ref/request-response/#setting-header-fields

J

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs