XF 2.1 Security Headers Duplicate

[Onlyme]

Hi,

Are both these headers enabled by default in xenforo?

X-Frame-Options	SAMEORIGIN
X-Content-Type-Options	nosniff

 

[Onlyme]

Found this https://xenforo.com/community/threads/embedding-other-xf-sites-using-iframe.132658/post-1167542 @Chris D says its enabled by default ClickjackingProtection aka X-Frame-Options SAMEORIGIN.

I just cant find info on X-Content-Type-Options nosniff

This is a fresh server and xenforo install, ive not edited apache or .htaccess to add X-Content-Type-Options nosniff, but its still there

curl -I http://mysite.xyz
HTTP/1.1 301 Moved Permanently
Date: Sat, 15 Feb 2020 12:29:53 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Last-Modified: Sat, 15 Feb 2020 12:29:53 GMT
Location: http://mysite.xyz/index.php
Content-Type: text/html; charset=utf-8

Anyone know if xenforo is also adding X-Content-Type-Options: nosniff?

 

[Chris D]

Yes, we add both those headers by default.

 

[Onlyme]

Yes, we add both those headers by default.

Thank you Chris D. Ive spent hours trying to locate it on my main server lol.

 

[KSA]

Yes, we add both those headers by default.

We moved to a new server and now getting this

Error with Permissions-Policy header: Unrecognized feature: 'interest-cohort'.

chromewebdata/:1 Refused to display 'https://www.facebook.com/' in a frame because it set 'X-Frame-Options' to 'deny'.
(index):6770 crbug/1173575, non-JS module files deprecated.
(anonymous) @ (index):6770


Facebook embedded posts not rendering!

 

[Jeremy P]

That's a header from Facebook which prevents others from embedding their pages in a frame. The header above is from XF and prevents others from embedding your forum in a frame (on a different origin), and is unrelated to your issue. Most likely this is a problem with your embed setup, as Facebook embeds work fine for me locally.