XF 2.1 Security Headers Duplicate


Active member
Found this https://xenforo.com/community/threads/embedding-other-xf-sites-using-iframe.132658/post-1167542 @Chris D says its enabled by default ClickjackingProtection aka X-Frame-Options SAMEORIGIN.

I just cant find info on X-Content-Type-Options nosniff

This is a fresh server and xenforo install, ive not edited apache or .htaccess to add X-Content-Type-Options nosniff, but its still there

curl -I http://mysite.xyz
HTTP/1.1 301 Moved Permanently
Date: Sat, 15 Feb 2020 12:29:53 GMT
Server: Apache/2.4.41 (Ubuntu)
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: private, no-cache, max-age=0
Last-Modified: Sat, 15 Feb 2020 12:29:53 GMT
Location: http://mysite.xyz/index.php
Content-Type: text/html; charset=utf-8

Anyone know if xenforo is also adding X-Content-Type-Options: nosniff?
Last edited: