php - Using `send_headers` action to set `X-Frame-Options` not really working

admin管理员组

文章数量:1122832

A large number of client sites are on an NGINX hosting platform and a large number of those sites are using industry specific eComm software... ...the eComm provider is pushing all of their customers to ensure that they've got robust security and the only item we're not in compliance with is X-Frame-Options being set to either SAMEORIGIN or DENY.

Normally, we'd do this with .htaccess but on this host, there is no .htaccess. So instead we've created a simple plugin that doesn't nothing but set the HTTP header X-Frame-Options: SAMEORIGIN.

if( !function_exists( 'wpse60844_set_xframe' ) ) :
    function wpse60844_set_xframe() {
        header( 'X-Frame-Options: SAMEORIGIN' );
    }
    add_action( 'send_headers', 'wpse60844_set_xframe', 99 );
endif;

With that above, we can run a check and see if it's listed in the sent headers and it is...

var_dump( headers_list() ) shows me that X-Frame-Options is set to SAMEORIGIN.

However, any site scanner we run, and every browser's DEV tools, don't show that it's set.

Have also already tried to remove_headers() first and then re-set it and have tried to run the function on init instead of send_headers. Neither of these seem to make a difference.

UPDATE / ANSWER

The code in the question, as it turns out, is fine. It's correct for LAMP stacks and it appears that it just doesn't work on NGINX (LNMP stack) OR it just doesn't work on FlyWheel hosted sites. (That's yet to be determined because I only have access to NGINX via FlyWheel hosted sites, so I haven't yet been able to test this elsewhere.) Kinda sucks because the whole purpose of the function was to add the header on servers where I don't get to use .htaccess, like FlyWheel, so the one place where I would need this, is the one place it doesn't work. On all the other LAMP sites we work with, we'd just add it to .htaccess.

本文标签： phpUsing sendheaders action to set XFrameOptions not really working