Spurious X-Frame-Options warning ("not set to SAMEORIGIN")

On the “Security & setup warnings” page I see this warning in bright red:

The "X-Frame-Options" HTTP header is not configured to equal to "SAMEORIGIN".

I’ve double checked the Apache configuration and again checked with curl and the browser inspector. SAMEORIGIN is set. It appears X-Frame-Options is set twice. According to what I’ve found on other related topics, this header is set by NextCloud itself, hence it is set twice.

I can’t find the documentation about where to tell NextCloud to not set X-Frame-Options as it’s already taken care of server-side. Any help would be great.

Sorry if duplicate, I can’t find any suitable answer

I just found the updated nginx configuration according to PHP handles this now by itself: https://docs.nextcloud.com/server/13/admin_manual/release_notes.html#updates-to-nginx-configuration

Thus you should remove it also from your apache configuration.

1 Like