Default headers should be configurable

[mwitte]

A customer would like to integrate an app delivered by appserver into another page as iframe. To enable this, the X-Frame-Options header need another value or needs be removed.

The default headers should be configurable AppserverIo/WebServer/ConnectionHandlers/HttpConnectionHandler.php

[wick-ed]

Hi @mwitte

did you try using the Header webserver module? Example would be https://github.com/appserver-io/appserver/blob/1.1/resources/templates/etc/appserver/appserver.xml.phtml#L427 or in combination with a file location: https://github.com/appserver-io/appserver/blob/1.1/resources/templates/etc/appserver/appserver.xml.phtml#L437

The the module you can configure the header e.g. for a virtual host, globally or depending on certain conditions.

See also https://github.com/appserver-io/webserver/blob/master/src/AppserverIo/WebServer/Modules/HeaderModule.php

Does this solve your problem?

Best regards,

bernhard

[wick-ed]

The module must be included in your server's module stack configuration like this: https://github.com/appserver-io/appserver/blob/1.1/resources/templates/etc/appserver/appserver.xml.phtml#L519

[mwitte]

No didn't try it and didn't know it :D But it seems that this module allows to modify existing and adding new headers but we need to remove this header completely?

Thank you

[wick-ed]

Yes, indeed. ^^ You could modify the header, but removing it won't work this way. How about overriding the default Denywith Allow-From: <YOUR_DOMAIN>? This should be doable?

See: https://github.com/appserver-io-psr/http-message/blob/master/src/AppserverIo/Psr/HttpMessage/Protocol.php#L351 https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options