XF 1.5 header X-Frame-Options: SAMEORIGIN twice


Active member
I migrate from xf 1.2 to xf1.5 recently. I have a strange problem, is possible that xenforo send a x-frame-options header ?
If i get the http headers of other page that is not xenforo i dont have the x-frame-options twice. I check all my nginx configuration files and only found one header declaration.

Content-Type: text/html; charset=UTF-8

Content-Length: 106321
Connection: keep-alive
Vary: Accept-Encoding
Cache-control: private, max-age=0

Set-Cookie: xf_session=xxxxx; path=/; secure; httponly

X-Frame-Options: SAMEORIGIN

Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
x-xss-protection: 1; mode=block
X-Content-Type-Options: nosniff

x-frame-options: SAMEORIGIN

Content-Security-Policy: default-src 'self' https://pagead2.googlesyndication.com; script-src 'self' data: 'unsafe-inline' 'unsafe-eval' https://pagead2.googlesyndication.com https://secure.gravatar.com;  font-src 'self' data: https://fonts.googleapis.com https://fonts.gstatic.com https://themes.googleusercontent.com https://www.gstatic.com; connect-src 'self' https://fonts.gstatic.com https://pagead2.googlesyndication.com; media-src 'self' data: https://ssl.gstatic.com; object-src 'self' https://fonts.gstatic.com https://pagead2.googlesyndication.com https://www.gstatic.com; child-src 'self'; frame-src 'self' https://googleads.g.doubleclick.net gsa://onpageload https://onpageload https://secure.gravatar.com https://tpc.googlesyndication.com ; worker-src 'self'; frame-ancestors 'self'; form-action 'self'; upgrade-insecure-requests; report-uri https://cspviolations.report-uri.io/r/default/csp/enforce

Thanks a lot

Chris D

XenForo developer
Staff member
XF implemented "click jacking" protection in XF 1.2 (so you should have already had that). With that enabled (which it is by default) we will send a X-Frame-Options SAMEORIGIN header. But we should only send it once.


XenForo developer
Staff member
There are a lot of non-standard headers there, so I have to guess that you have something adding it outside of XF.


Active member
There are a lot of non-standard headers there, so I have to guess that you have something adding it outside of XF.
Yes are the headers that my nginx configuration has.
Great thanks to the @Chris D post I found in help that i can disable the click jacking in config.php and control my header via nginx configuration that is i do. Sorry for my misunderstanding I'm member of this forum from the beginning but dont remember nothing about the click jacking option. (n) now only have one x-frame-options header once deactivate the option in xenforo config file.

Thanks a lot and sorry again :LOL: