Thursday, September 28, 2017

Include multiple domains in ALLOW-FROM for X-Frame-Options (Apache)

Every single forum, blog post, and documentation online will tell you the same thing... that it's not possible to whitelist multiple domains with X-Frame-Options and to use Content-Security-Policy instead or some complicated and messy JavaScript as alternatives.

I'm here to tell you that they're all wrong.

Here is a snippet of my httpd.conf file:
# For obvious security reasonsHeader set X-Frame-Options SAMEORIGIN 
<Location /myapp>  # For the context /myapp, whitelist multiple domains  Header append X-Frame-Options "ALLOW-FROM https://raastech.com"  Header append X-Frame-Options "ALLOW-FROM https://raastechmobile.com"</Location>

If you open up Developer Tools (F12) in IE 11, you can confirm that the header will show the following:
X-Frame-Options: SAMEORIGIN, ALLOW-FROM https://raastech.com, ALLOW-FROM https://raastechmobile.com


Applicable Versions
  • Apache

 

No comments: