On Thu, Sep 9, 2021 at 7:57 PM Dave Wreski
<dwre...@guardiandigital.com.invalid> wrote:
>
> Hi, revisiting a post from last week regarding X-Frame-Options and security
> settings. I performed a security scan of https://linuxsecurity.com using
> immuniweb (https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/) and
> it showed we were setting GOFORIT and SAMEORIGIN. I'm unable to determine
> where GOFORIT is being set, as we're not doing it manually, and I can't
> locate it within an htaccess or in the virtual host config.
>
> I also used geekflare (https://gf.dev/x-frame-options-test) and it also
> reported that we were using both GOFORIT and SAMEORIGIN values.
>
> I used lynx to dump the headers and it only displays SAMEORIGIN, as it should.
>
> Where else can I look to see where this option is being set?
Find your in use LogFormat and add %{X-Frame-Options}o . Then run one
of those failing tests, uncached.
If it's not logged with "GOFORIT" it's not coming from Apache or
anything behind it.
AFAICT Google says "GOFORIT" is a hack to "break" an X-Frame-Options
when you don't have access to change it.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
