Setting X-Frame-Options At The Server Level
You (or your dev ops team) may prefer to configure headers at the server level. In that case below are the various ways to add X-FRAME-OPTIONS to your web server so every request gains the header.
Setting X-FRAME-OPTIONS in IIS
The best way to do this if you are just using IIS to forward requests to Kestrel (Or even if this is actually being hosted in IIS), is to do this in IIS Manager.
- Open IIS Manager and on the left hand tree, left click the site you would like to manage.
- Doubleclick the “HTTP Response Headers” icon.
- Right click the header list and select “Add”
- For the “name” write “X-FRAME-OPTIONS” and for the value write in your desired option e.g. “SAME-ORIGIN”.
Setting X-FRAME-OPTIONS in Apache
In your httpd.conf file you need to append the following line :
Header always append X-Frame-Options SAMEORIGIN
Setting X-FRAME-OPTIONS in htaccess
If you are using shared hosting you may only have access to an HTAccess file. Or you may prefer to use HTAccess to manage redirects, headers etc anyway. If that’s the case you need to add the following to your .htaccess file.
Header append X-FRAME-OPTIONS "SAMEORIGIN"
Setting X-FRAME-OPTIONS in NGINX
In nginix.conf add the following line (And restart the nginx service afterwards).
add_header X-Frame-Options "SAMEORIGIN";