# ---------------------------------------------------------------------- # | Frame Options | # ---------------------------------------------------------------------- # Protect website against clickjacking. # # The example below sends the `X-Frame-Options` response header with the value # `DENY`, informing browsers not to display the content of the web page in any # frame. # # This might not be the best setting for everyone. You should read about the # other two possible values the `X-Frame-Options` header field can have: # `SAMEORIGIN` and `ALLOW-FROM`. # https://tools.ietf.org/html/rfc7034#section-2.1. # # Keep in mind that while you could send the `X-Frame-Options` header for all # of your website’s pages, this has the potential downside that it forbids even # non-malicious framing of your content (e.g.: when users visit your website # using a Google Image Search results page). # # Nonetheless, you should ensure that you send the `X-Frame-Options` header for # all pages that allow a user to make a state-changing operation (e.g: pages # that contain one-click purchase links, checkout or bank-transfer confirmation # pages, pages that make permanent configuration changes, etc.). # # Sending the `X-Frame-Options` header can also protect your website against # more than just clickjacking attacks. # https://cure53.de/xfo-clickjacking.pdf. # # https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options # https://tools.ietf.org/html/rfc7034 # https://blogs.msdn.microsoft.com/ieinternals/2010/03/30/combating-clickjacking-with-x-frame-options/ # https://www.owasp.org/index.php/Clickjacking add_header X-Frame-Options $x_frame_options always;