ср, 6 окт. 2021 г. в 13:10, Martin Knoblauch <kn...@knobisoft.de>: > > Hi, > > sorry for asking this likely stupid question. This is with Apache HTTPD > 2.4.48. > > I want to change the value of the X-Frame-Options response header from DENY > to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53. > > Naively, because the mod_header documentation says "The response header is > set, replacing any previous header with this name. The value may be a format > string.", I added a single > > Header always set X-Frame-Options SAMEORIGIN > > to the VirtualHost section of the httpd configuration. To my surprise my > browser (FF and Chrome) has two headers now, one with DENY, one with > SAMEORIGIN. And falls back to DENY :-( > > When I add an unset before the set, it works > > Header unset X-Frame-Options > Header always set X-Frame-Options SAMEORIGIN > > Is my understanding of the mod_header documentation wrong, or do I miss > somethiong subtle?
See my recent answer in "X-Frame-Options and security" thread. https://httpd.markmail.org/message/pwsrgbj7pjy4qiei All is in the docs, if you read carefully, but I agree that it is subtle. https://httpd.apache.org/docs/2.4/en/mod/mod_headers.html#header Essentially, (as far as I am reading it), "onsuccess" and "always" are just names of two separate tables (lists) of headers that exist in parallel. <quote> it does not offer any "normalized" single list of headers </quote> Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org