Nothing will be undone by X-Frame-Options (Apache, PHP 5.3)

Question

Nothing will be undone by X-Frame-Options (Apache, PHP 5.3)

I am trying to implement an embeddable widget that functions similarly to the built-in Twitter tweet. The simplest solution, although perhaps not the best, seems to be a built-in iframe or HTML5, but both of them are blocked by the X-Frame-Options header on the server.

I am running PHP 5.3 and Apache 2.2 on a dedicated server under full control.

I tried to put in the first line of the very first line of the PHP iframe file:

header_remove("X-Frame-Options");

I tried adding the following to .htaccess:

 Header unset X-Frame-Options

I checked httpd.conf, the vhost.conf file, even PHP.INI, and searched for "x-frame" - nothing seems to be relevant in any.

There are no mod_security or other plugins to be entered on this server that I see.

However, curl checks the following HTTP header no matter what I do:

 X-Frame-Options: DENY

Are there any possibly oddly named settings somewhere that could still force this header?

+9

php apache x-frame-options

Corey Oct 16 '15 at 13:53

source share

3 answers

I had the same problem and decided to write this in httpd.conf

The header adds X-Frame-Options ALLOWALL, I also had to configure the loadable header module so that apache understood this directive. Then you must restart httpd.

+2

Rubén gonzález May 26 '16 at 13:53

source share

Just in case, if you want to change this in .htaccess, it will be like this:

 Header always unset X-Frame-Options env=HTTPS

0

Vlax Sep 19 '19 at 16:04

source share

Corey · Accepted Answer · 2015-10-16T16:11:46+0000

X-Frame options were forced by ssl.conf.

Commenting and restarting Apache is allowed to use .htaccess and PHP header management.

Nothing will be undone by X-Frame-Options (Apache, PHP 5.3)

More articles: