38 lines
1.8 KiB
Nginx Configuration File
38 lines
1.8 KiB
Nginx Configuration File
# ----------------------------------------------------------------------
|
|
# | Frame Options |
|
|
# ----------------------------------------------------------------------
|
|
|
|
# Protect website against clickjacking.
|
|
#
|
|
# The example below sends the `X-Frame-Options` response header with the value
|
|
# `DENY`, informing browsers not to display the content of the web page in any
|
|
# frame.
|
|
#
|
|
# This might not be the best setting for everyone. You should read about the
|
|
# other two possible values the `X-Frame-Options` header field can have:
|
|
# `SAMEORIGIN` and `ALLOW-FROM`.
|
|
# https://tools.ietf.org/html/rfc7034#section-2.1.
|
|
#
|
|
# Keep in mind that while you could send the `X-Frame-Options` header for all
|
|
# of your website's pages, this has the potential downside that it forbids even
|
|
# non-malicious framing of your content.
|
|
#
|
|
# Nonetheless, you should ensure that you send the `X-Frame-Options` header for
|
|
# all pages that allow a user to make a state-changing operation (e.g: pages
|
|
# that contain one-click purchase links, checkout or bank-transfer confirmation
|
|
# pages, pages that make permanent configuration changes, etc.).
|
|
#
|
|
# Sending the `X-Frame-Options` header can also protect your website against
|
|
# more than just clickjacking attacks.
|
|
# https://cure53.de/xfo-clickjacking.pdf.
|
|
#
|
|
# (!) The `Content-Security-Policy` header has a `frame-ancestors` directive
|
|
# which obsoletes this header for supporting browsers.
|
|
#
|
|
# https://tools.ietf.org/html/rfc7034
|
|
# https://owasp.org/www-project-secure-headers/#x-frame-options
|
|
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
|
|
# https://docs.microsoft.com/archive/blogs/ieinternals/combating-clickjacking-with-x-frame-options
|
|
|
|
add_header X-Frame-Options $x_frame_options always;
|