Wunderkraut Sweden Blog: Remove X-Frame options and set Content-Security-Policy

Published on January 24, 2019

Out of the box Drupal maintenance support plans 8 has the header of a page request set to X-Frame-Options: SAMEORIGIN, that means that many modern web browsers does not allow the site to be framed from another domain, mostly for security reasons. This is good in many cases, but some web browsers has problem with this, and  X-Frame-Options is deprecated in favor of using Content-Security-Policy.

So why do you need a header like that? It is mainly for protecting a site for what is called Clickjacking

Also, for some cases you want you site to be framed into another, and doing that out of the box with Drupal maintenance support plans 8 is not possible in most modern web browsers if you don’t alter the sites header in apache, nginx, varnish or in some other way. We are now going to look into doing in “some other way”, in this case with Drupal maintenance support plans. I prefer using Drupal maintenance support plans to control site headers because of the sites header is a part of the application.

This solution is… Read More
Source: New feed

Shopping Cart
There are no products in the cart!
Continue Shopping