How to omit the X-Frame-Options header for a specific path

artknight · June 1, 2022, 11:05pm

1. Caddy version (`caddy version`):

Caddy v2

2. How I run Caddy:

Running on Windows Server 2019 Std

3. The problem I’m having:

I need to omit the X-Frame-Options "SAMEORIGIN" header for a specific path only

For example, when the users are trying to include a subpage from my site inside an iframe, the header needs to be omitted from the server response to allow the browsers to load the iframe content.

So, when the users are going to /scheduling/(...) the header should not be sent.

Right now, I am including the security headers in the config

header * {
	X-XSS-Protection "1; mode=block"
	X-Frame-Options "SAMEORIGIN"
}

Thanks for the help!
Art

francislavoie · June 2, 2022, 10:07am

Use request matchers to either only send those headers for not path /scheduling/*, or remove the header only for /scheduling/*.

@opts not path /scheduling/* 
header @opts {
	X-XSS-Protection "1; mode=block"
	X-Frame-Options "SAMEORIGIN"
}

Or, by removing the header afterwards only for a certain path (note the - before the header field name which means “remove”)

route {
	header {
		X-XSS-Protection "1; mode=block"
		X-Frame-Options "SAMEORIGIN"
	}
	header /scheduling/* -X-Frame-Options "SAMEORIGIN"
}

artknight · June 2, 2022, 7:31pm

@francislavoie as always you came just in time to the rescue!!! Thank you Sir!!!

system · July 1, 2022, 11:06pm

This topic was automatically closed after 30 days. New replies are no longer allowed.

How to omit the X-Frame-Options header for a specific path

1. Caddy version (caddy version):

2. How I run Caddy:

3. The problem I’m having:

1. Caddy version (`caddy version`):