2

I'm trying to iframe a site I built (using Rails) and deployed on an ubuntu instance on AWS using Phusion Passenger.

I looked more into it and found that I need to change my X-frame options, a HTTP header from 'SAME ORIGIN' to 'ALLOWALL'. I already added this line into my config/application.rb file and my config/environments/production.rb 

config.action_dispatch.default_headers.merge!({'X-Frame-Options' => 'ALLOWALL'})

Even then, when I open my site, I still get these settings in my Network Headers:

Status:200 OK
Transfer-Encoding:chunked
X-Content-Type-Options:nosniff
X-Frame-Options:SAMEORIGIN
X-Powered-By:Phusion Passenger 5.0.11

This leads me to believe that there's a Phusion Passenger config file somewhere that I need to change the X-Frame-Options for. Any clues or help would be great, thanks!

pbbot
  • 33
  • 3
  • Found this article and it fixed my issue! [link](http://geekflare.com/add-x-frame-options-nginx/) – pbbot Jul 01 '15 at 16:32

2 Answers2

0

X-Frame-Options header should be set in your vhost (usually Apache or Nginx). For security reasons, if possible, only allow HTTPS whitelisted domains and whitelisted paths.

<virtualHost *:443>
  # ... Host and Passenger configuration ...

  <Location "/your-iframable-path">
    Header always set X-Frame-Options "ALLOW-FROM https://domain-using-iframe"
  </Location>
</virtualHost>
Habax
  • 1,274
  • 17
  • 26
0

I had the same problem. After trying for a long time, I found the solution to it.
Passenger uses a template for it's nginx configuration. When starting passenger, you pass the template to it using the --nginx-config-template parameter.
Now, to configure the X-Frame-Options header for passenger, simply edit the template file. Add the following line under the http { block of the template file:

    add_header X-Frame-Options "SAMEORIGIN";

And make sure to run

    sudo service passenger restart

To make the changes go live.

:)

Securiosity
  • 37
  • 11