Hi, revisiting a post from last week regarding X-Frame-Options and
security settings. I performed a security scan of
https://linuxsecurity.com using immuniweb
(https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/
<https://www.immuniweb.com/websec/linuxsecurity.com/QoioHb5H/>) and it
showed we were setting GOFORIT and SAMEORIGIN. I'm unable to determine
where GOFORIT is being set, as we're not doing it manually, and I can't
locate it within an htaccess or in the virtual host config.
I also used geekflare (https://gf.dev/x-frame-options-test) and it also
reported that we were using both GOFORIT and SAMEORIGIN values.
I used lynx to dump the headers and it only displays SAMEORIGIN, as it
should.
Where else can I look to see where this option is being set?
Thanks,
Dave
On 9/1/21 7:43 PM, Eric Covener wrote:
On Wed, Sep 1, 2021 at 7:30 PM Dave Wreski
<dwre...@guardiandigital.com.invalid> wrote:
Hi,
I ran a security scan for X-Frame-Options (https://gf.dev/x-frame-options-test)
on our site (https://linuxsecurity.com), and it returned SAMEORIGIN, which is
good, but it also returned GOFORIT.
The only settings we have are the following:
<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header always set Strict-Transport-Security "max-age=63072000;
includeSubDomains"
Header set Feature-Policy "geolocation 'self'; vibrate 'none'"
Header set Content-Security-Policy "frame-ancestors 'self'"
</IfModule>
No where are we setting GOFORIT. Is it somehow the default and necessary to
explicitly disable it?
No. I'd veifry with a command-line client and see if it happens even
for static files.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org