X_FRAME_OPTIONS not working with Organizr

[kstenqvist]

Hi, I'm running NPM as a docker in portainer on a RPi4 and I'm trying to get Organizr to load tabs (iframes) with NPM by using the "X_FRAME_OPTIONS" environment option. I did some searching and found that it was implemented a while back (https://github.com/jc21/nginx-proxy-manager/commit/6f1d38a0e2c27cbb117782503abea133e20be806) but it doesn't wanna play ball with me.

This is what I've entered into the ENV section of the docker composer:

environment:
  # Uncomment this if IPv6 is not enabled on your host
  # DISABLE_IPV6: 'true'
  - X_FRAME_OPTIONS=sameorigin 

Everything else is working just fine with NPM. I'm using Chrome as browser. Any ideas?

[jlesage]

The X_FRAME_OPTIONS variable is for the web interface of NginxProxyManager itself... You could try to add the following line under the Advanced tab of your proxy host:

add_header X-Frame-Options "SAMEORIGIN";

[lrlf]

i add thus lines on the Advanced tab and makes no difference on securityheaders scan, what can i add to get a green scan, thanks

[jlesage]

These headers are normally added by Nginx via the add_header directive. However, the inheritance of this directive (https://www.nginx.com/blog/http-strict-transport-security-hsts-and-nginx/) doesn't fit with the way nginx config is generated: the add_header directives in the Advanced tab got ignored for proxy hosts...

One "hacky" way to do it is to create a custom location for "/" and re-do the config of your proxy host. Adding the add_header directive in the advanced section of the custom location should do the trick.

The add_header directive is followed by the name of the header, then its value. For example:

add_header X-Content-Type-Options nosniff;

I'm not sure what are the values to use for each header. You should search on google for the proper value to use, since they may differ for your applications and/or you needs.

[lrlf]

thank you i will give it a try, thanks a lot