NGINX X-Frame-Options allow only from single page

Posted on

Problem :

I am trying to setup my vHost to allow iframes from only one subdomain of our network. Before we had:

add_header X-Frame-Options "SAMEORIGIN"; on all our pages.

To accomplish what I want to do I tried:

add_header X-Frame-Options;

This ends up allowing iframes as wanted but it allows them from every domain not just from

How can I deny iframes from all external pages but allow them from one subdomain?

Side info:

both sites run on the same machine.

Solution :

The RFC for the X-Frame-Options header states that valid options for the header are:

  • DENY
  • ALLOW-FROM <uri>

So, first off you need to add ALLOW-FROM then specify the URI of your subdomain. Something like this:


Leave a Reply

Your email address will not be published. Required fields are marked *