Velvet Star Monitor

Standout celebrity highlights with iconic style.

news

NGINX X-Frame-Options allow only from single page

Writer Matthew Barrera

I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:

add_header X-Frame-Options "SAMEORIGIN"; on all our pages.

To accomplish what I want to do I tried:

add_header X-Frame-Options

This ends up allowing iframes as wanted but it allows them from every domain not just from .

How can I deny iframes from all external pages but allow them from one subdomain?

Side info:

both sites run on the same machine.

1 Answer

The RFC for the X-Frame-Options header states that valid options for the header are:

  • DENY
  • SAMEORIGIN
  • ALLOW-FROM <uri>

So, first off you need to add ALLOW-FROM then specify the URI of your subdomain. Something like this:

ALLOW-FROM
3

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

Similar Journal

View All

How does 3 tick fishing work?

May 2026

Tetra Master: What are the full rules?

May 2026

Do lure modules and incense cause new pokemon to spawn near you, or existing pokemon to be drawn to you?

May 2026

What is the strongest fixed location equipment you can obtain at Level 1?

May 2026