I have an Nginx proxy setup where I add several security-related headers to the server so that they return on all proxy locations. On some locations I need to add additional headers (ex. Content-Security-Policy
to /
), while on other specific locations I need to remove one of the headers (ex. X-Frame-Options
from /framepage.html
) added at the server level.
nginx.conf
# ...
server {
# ...
include security-headers.conf;
location / {
proxy_pass http://web:5000/;
include security-headers.conf;
add_header Content-Security-Policy "my csp...";
}
location = /framepage.html {
proxy_pass http://web:5000/framepage.html;
# TODO: remove `X-Frame-Options` response header from this specific page
# Tried add_header X-Frame-Options "";
# Tried proxy_set_header X-Frame-Options "";
# Tried proxy_hide_header X-Frame-Options;
}
location /api/ {
proxy_pass http://api:5000/;
}
location /otherstuff/ {
proxy_pass http://otherstuff:5000/;
}
# ...
}
security-headers.conf
add_header Referrer-Policy same-origin;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
I have tried the following, but none of them seem to remove the X-Frame-Options
header from the /framepage.html
location response:
add_header X-Frame-Options "";
proxy_set_header X-Frame-Options "";
proxy_hide_header X-Frame-Options;
How can I remove the X-Frame-Options
header from the /framepage.html
location response?
Best Answer
The header config attributes are a bit confusing, this is what they do:
proxy_set_header
is to set a request headeradd_header
is to add a header to the responseproxy_hide_header
is to hide a response headerIf you want to replace a header that already exists in the response it is not enough with
add_header
because it will stack the values (from server and the one you added).You have to do this in two steps:
1) remove header:
proxy_hide_header Access-Control-Allow-Origin;
2) add your custom header value:
add_header Access-Control-Allow-Origin "*" always;