Hi, I have been using the following successfully in HTTPD config for some time:
Header always set X-Frame-Options SAMEORIGIN The SAMEORIGIN is required for our use but now I am getting a request to allow X-Frame-Options to include specific URL's, say: https://example1.com https://example2.com In researching a bit, I found this <https://www.apachelounge.com/viewtopic.php?p=36356> suggesting this format: Header always set X-Frame-Options SAMEORIGIN Header always append X-Frame-Options "ALLOW-FROM https://example1.com/"; Header always append X-Frame-Options "ALLOW-FROM https://example2.com/"; However, when I tested it the response is: example.com refused to connect Is this the proper way to set up this need (SAMEORIGIN and multiple URL allows)? Are there any concerns with this type of configuration? Any guidance is appreciated. TIA, HB
