Applying per directory X-Frame-Options headers in Apache

To help prevent against click-jacking, I had applied the following to my Apache 2.2 configuration based on the suggestions described in OWASP’s Clickjacking Defense Cheat Sheet and Mozilla Developer Network’s The X-Frame-Options response header:

Header always append X-Frame-Options SAMEORIGIN

However, my site has certain pages that are included in an iframe on another site, for the purpose of displaying content on digital signage devices. After I added that header, those pages would no longer load in an iframe on the digital signage devices’ browsers.

I thought I might be able to change SAMEORIGIN to ALLOW-FROM and list both the URI of my site and the URI of the digital signage page. However, the HTTP Header Field X-Frame-Options RFC indicates:

Wildcards or lists to declare multiple domains in one ALLOW-FROM statement are not permitted

The pages I wanted to exempt from the X-Frame-Options restriction exist in their own directory, /digitalsignage, so I tried to override the X-Frame-Options header in a .htaccess file:

Header always append X-Frame-Options ALLOW-ACCESS

That caused a 500 Server Error. This message appeared in the error logs:

.htaccess: error: envclause should be in the form env=envar

The Header directive must be malformed, but I’m am not sure how. I did not determine how to properly format the statement so as not to produce that error, although several sites have pointed out that some browsers (Chrome, Safari) do not support ALLOW-ACCESS.

I changed the .htaccess file back to SAMEORIGIN, to match what was in the main site configuration:

Header always append X-Frame-Options SAMEORIGIN

I then noted that the response header sent by the server included SAMEORIGIN twice:


That’s the expected behavior when using append. It appeared only once after I changed append to set:
Header always set X-Frame-Options SAMEORIGIN

I tried using set instead of append with ALLOW-ACCESS:

Header always set X-Frame-Options ALLOW-ACCESS

But it still produced the same 500 Server Error.

After reading the documentation for Apache’s mod_headers, I realized that unset would allow me to remove the X-Frame-Options header from the /digitalsignage directory:
Header always unset X-Frame-Options

That worked, and the pages were successfully included as iframes in a page on the digital signage company’s site.

11 thoughts on “Applying per directory X-Frame-Options headers in Apache”

  1. Hi,

    How can we use the “unset” option to nullify the X-FRAME options for 2 sites.

  2. @Vikas, to clarify, I think you are asking how to use the X-Frame-Options header to allow 2 sites to embed your site within a frame or iframe, but no other sites.

    If that is what you are trying to do, I have bad news: that’s not possible. In my case, I used the unset keyword to allow any site to embed files in a specific directory in a frame or iframe. The options with X-Frame-Options seem to be to allow all sites (but not setting or removing the header), to disallow all sites (DENY), to all only the hosting site (SAMEORIGIN), or to allow one single external site (ALLOW-FROM).

    However, there are other changes you could make to your Apache configuration to conditionally add/change/remove the X-Frame-Options header. One idea would be to use SetEnvIf to check the Referer request header value and set the response header accordingly.

  3. Hi

    I’ve got the same problem, but I don’t know how you did just to apply ‘Header always unset X-Frame-Options’ to only one directory, please can you post an example?

  4. @Ruben here’s a simplified example from an httpd.conf file or an apache.conf file:

        Header always set X-Frame-Options SAMEORIGIN
        <Directory />
             Header always unset X-Frame-Options

    Now is protected from being embedded in a frame, with the exception of

    If you do not have access to your httpd.conf or apache.conf file, you can create a .htaccess file in the directory you want to exempt (/ in this example) and include the following line in the file:
    Header always unset X-Frame-Options

  5. hello,
    i added
    # Extra Security Headers

    Header set X-XSS-Protection "1; mode=block"
    Header always append X-Frame-Options SAMEORIGIN
    Header set X-Content-Type-Options nosniff

    in .hthacces but does not work. any idea please. thank you.

  6. My Apache install doesn’t seem to like the “always” part. It worked for me to override the apache config with an .htaccess file in the target directory as described, only without “always”….

    Header unset X-Frame-Options

    Hope that helps someone.

Leave a Reply

Your email address will not be published. Required fields are marked *