server-configs-nginx/h5bp/security/x-frame-options.conf

# ----------------------------------------------------------------------
# | Frame Options                                                      |
# ----------------------------------------------------------------------

# Protect website against clickjacking.
#
# The example below sends the `X-Frame-Options` response header with the value
# `DENY`, informing browsers not to display the content of the web page in any
# frame.
#
# This might not be the best setting for everyone. You should read about the
# other two possible values the `X-Frame-Options` header field can have:
# `SAMEORIGIN` and `ALLOW-FROM`.
# https://tools.ietf.org/html/rfc7034#section-2.1.
#
# Keep in mind that while you could send the `X-Frame-Options` header for all
# of your website's pages, this has the potential downside that it forbids even
# non-malicious framing of your content.
#
# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
# all pages that allow a user to make a state-changing operation (e.g: pages
# that contain one-click purchase links, checkout or bank-transfer confirmation
# pages, pages that make permanent configuration changes, etc.).
#
# Sending the `X-Frame-Options` header can also protect your website against
# more than just clickjacking attacks.
# https://cure53.de/xfo-clickjacking.pdf.
#
# (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
#     which obsoletes this header for supporting browsers.
#
# https://tools.ietf.org/html/rfc7034
# https://owasp.org/www-project-secure-headers/#x-frame-options
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
# https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options

add_header X-Frame-Options $x_frame_options always;
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# ----------------------------------------------------------------------`
Improve wording and file headers 2019-05-15 18:26:04 +02:00			`# \| Frame Options \|`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# ----------------------------------------------------------------------`

			`# Protect website against clickjacking.`
			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			# The example below sends the `X-Frame-Options` response header with the value
			# `DENY`, informing browsers not to display the content of the web page in any
			`# frame.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			`# This might not be the best setting for everyone. You should read about the`
			# other two possible values the `X-Frame-Options` header field can have:
			# `SAMEORIGIN` and `ALLOW-FROM`.
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# https://tools.ietf.org/html/rfc7034#section-2.1.`
			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			# Keep in mind that while you could send the `X-Frame-Options` header for all
Do no use non-ASCII characters in loaded configs I had an issue with Certbot (let's encrypt) which failed to reload nginx due to a non-ASCII character in a loaded config file. E.g.: `Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: 'ascii' codec can't decode byte 0xe2 in position 762: ordinal not in range(128). Skipping.` I found this character using `grep -r -P '[^\x00-\x7f]' /etc/nginx`. 2020-02-05 17:52:58 +01:00			`# of your website's pages, this has the potential downside that it forbids even`
Improve `X-Frame-Options` documentation (#277) Co-authored-by: Léo Colombaro <git@colombaro.fr> 2021-06-13 23:30:25 +02:00			`# non-malicious framing of your content.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
			`# all pages that allow a user to make a state-changing operation (e.g: pages`
			`# that contain one-click purchase links, checkout or bank-transfer confirmation`
			`# pages, pages that make permanent configuration changes, etc.).`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`#`
Documentation formatting and reviewing (#232) No code changes, some config reordering 2019-05-15 18:38:05 +02:00			# Sending the `X-Frame-Options` header can also protect your website against
			`# more than just clickjacking attacks.`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# https://cure53.de/xfo-clickjacking.pdf.`
			`#`
Improve `X-Frame-Options` documentation (#277) Co-authored-by: Léo Colombaro <git@colombaro.fr> 2021-06-13 23:30:25 +02:00			# (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
			`# which obsoletes this header for supporting browsers.`
			`#`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00			`# https://tools.ietf.org/html/rfc7034`
Improve security headers documentation Refresh and reorder links 2021-06-14 12:38:26 +02:00			`# https://owasp.org/www-project-secure-headers/#x-frame-options`
			`# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options`
			`# https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options`
Split directives to enforce atomic structure * Enforce H5BP style * Improve inline documentation to simplify maintenance * Prepare v3 2018-11-23 17:14:15 +01:00
Switch from location directives to maps based on MIME-types * Expire * X-XSS-Protection * X-Frame-Options * X-UA-Compatible * Content-Security-Policy * Access-Control-Allow-Origin 2019-02-10 20:46:58 +01:00			`add_header X-Frame-Options $x_frame_options always;`