The X-Frame-Options is more or less obsolete now, and the reason to include it would mostly be to satisfy outdated security scanners. It is overridden by frame-ancestors in Content Security Policy (CSP), but there is little point of setting in the backend instead of adding in with the proxy layer.
Workarounds
a) it can be changed from 'DENY' to 'SAMEORIGIN' by overwriting X_FRAME_OPTIONS in trix_settings.py.
b) to remove it, it has to be stripped away by the proxy, ie. applying the following in Nginx's location block:
The default settings sets the
X-Frame-Options
HTTP headers to'DENY'
:The
X-Frame-Options
is more or less obsolete now, and the reason to include it would mostly be to satisfy outdated security scanners. It is overridden by frame-ancestors in Content Security Policy (CSP), but there is little point of setting in the backend instead of adding in with the proxy layer.Workarounds a) it can be changed from
'DENY'
to'SAMEORIGIN'
by overwritingX_FRAME_OPTIONS
intrix_settings.py
.b) to remove it, it has to be stripped away by the proxy, ie. applying the following in Nginx's location block: