Hi,
sorry for asking this likely stupid question. This is with Apache HTTPD
2.4.48.
I want to change the value of the X-Frame-Options response header from DENY
to SAMEORIGIN. The header is apparently set by Tomcat 9.0.53.
Naively, because the mod_header documentation says "The response header is
set, replacing any previous header with this name. The value may be a
format string.", I added a single
Header always set X-Frame-Options SAMEORIGIN
to the VirtualHost section of the httpd configuration. To my surprise my
browser (FF and Chrome) has two headers now, one with DENY, one with
SAMEORIGIN. And falls back to DENY :-(
When I add an unset before the set, it works
Header unset X-Frame-Options
Header always set X-Frame-Options SAMEORIGIN
Is my understanding of the mod_header documentation wrong, or do I miss
somethiong subtle?
Cheers
Martin
--
------------------------------------------------------
Martin Knoblauch
email: k n o b i AT knobisoft DOT de
www: http://www.knobisoft.de
