Hi,
I ran a security scan for X-Frame-Options
(https://gf.dev/x-frame-options-test) on our site
(https://linuxsecurity.com), and it returned SAMEORIGIN, which is good,
but it also returned GOFORIT.
The only settings we have are the following:
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000;
includeSubDomains"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header set Content-Security-Policy "frame-ancestors 'self'"
</IfModule>
No where are we setting GOFORIT. Is it somehow the default and necessary
to explicitly disable it?
Other ideas greatly appreciated.
Thanks,
Dave
