Modify headers x-frame-options in .htaccess

prettyInPink picture prettyInPink · Oct 1, 2016 · Viewed 27k times · Source

I'm trying to modify the x-frame-options in my .htaccess file. I would like for only one specific site to be allowed (apart from the sameorigin site) Although I am able to deny it for all, I have no clue on how to allow it for only one site, I have looked up the docs on MDN, but must have either overlooked something or I am not getting it correctly.

Code that did work to block all:

Header set X-Frame-Options DENY

None of the below examples did however work and resulted in a 500 external error

Header set X-Frame-Options ALLOW-FROM URL

Header set X-Frame-Options: ALLOW-FROM URL

X-Frame-Options: ALLOW-FROM URL

I have other code in the htaccess file and added all of the above to test on the first line of the file.

Thanks for any help.

Answer

Pierre picture Pierre · Sep 7, 2017

Use:

Header set X-Frame-Options "ALLOW-FROM URL"

Since syntax is:

Header set <header-name> <header-value>

DENY is one word so it's parsed as the header value, but ALLOW-FROM your.url is parsed as two arguments, thus apache complains about your.url as an unknown parameter.

It must be quoted to be considered as the whole header value. It's like command line arguments.