On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski <dwre...@guardiandigital.com.invalid> wrote: > > Hi, > > I ran a security scan for X-Frame-Options > (https://gf.dev/x-frame-options-test) on our site > (https://linuxsecurity.com), and it returned SAMEORIGIN, which is good, but > it also returned GOFORIT. > > The only settings we have are the following: > > <IfModule mod_headers.c> > Header set X-XSS-Protection "1; mode=block" > Header set X-Frame-Options "SAMEORIGIN" > Header set X-Content-Type-Options "nosniff" > Header always set Strict-Transport-Security "max-age=63072000; > includeSubDomains" > Header set Feature-Policy "geolocation 'self'; vibrate 'none'" > Header set Content-Security-Policy "frame-ancestors 'self'" > </IfModule> > > No where are we setting GOFORIT. Is it somehow the default and necessary to > explicitly disable it?
No. I'd veifry with a command-line client and see if it happens even for static files. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
