Thursday, September 28, 2017

Include multiple domains in ALLOW-FROM for X-Frame-Options (Apache)

Every single forum, blog post, and documentation online will tell you the same thing... that it's not possible to whitelist multiple domains with X-Frame-Options and to use Content-Security-Policy instead or some complicated and messy JavaScript as alternatives.

I'm here to tell you that they're all wrong.

Here is a snippet of my httpd.conf file:
# For obvious security reasonsHeader set X-Frame-Options SAMEORIGIN 
<Location /myapp>  # For the context /myapp, whitelist multiple domains  Header append X-Frame-Options "ALLOW-FROM"  Header append X-Frame-Options "ALLOW-FROM"</Location>

If you open up Developer Tools (F12) in IE 11, you can confirm that the header will show the following:

Applicable Versions
  • Apache