I have an Nginx proxy setup where I add several security-related headers to the server so that they return on all proxy locations. On some locations I need to add additional headers (ex. Content-Security-Policy to /), while on other specific locations I need to remove one of the headers (ex. X-Frame-Options from /framepage.html) added at the server level.
nginx.conf
# ...
server {
# ...
include security-headers.conf;
location / {
proxy_pass http://web:5000/;
include security-headers.conf;
add_header Content-Security-Policy "my csp...";
}
location = /framepage.html {
proxy_pass http://web:5000/framepage.html;
# TODO: remove `X-Frame-Options` response header from this specific page
# Tried add_header X-Frame-Options "";
# Tried proxy_set_header X-Frame-Options "";
# Tried proxy_hide_header X-Frame-Options;
}
location /api/ {
proxy_pass http://api:5000/;
}
location /otherstuff/ {
proxy_pass http://otherstuff:5000/;
}
# ...
}
security-headers.conf
add_header Referrer-Policy same-origin;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
I have tried the following, but none of them seem to remove the X-Frame-Options header from the /framepage.html location response:
add_header X-Frame-Options "";proxy_set_header X-Frame-Options "";proxy_hide_header X-Frame-Options;
How can I remove the X-Frame-Options header from the /framepage.html location response?
Best Answer
The header config attributes are a bit confusing, this is what they do:
proxy_set_headeris to set a request headeradd_headeris to add a header to the responseproxy_hide_headeris to hide a response headerIf you want to replace a header that already exists in the response it is not enough with
add_headerbecause it will stack the values (from server and the one you added).You have to do this in two steps:
1) remove header:
proxy_hide_header Access-Control-Allow-Origin;2) add your custom header value:
add_header Access-Control-Allow-Origin "*" always;