I need to add a Content Security Policy to my server that’s using NGINX.
The header is to filter when the my website can be put in an iframe. I see that Cloudflare has a x-Frame-Option (it is not specified in my nginx.conf file) which is an outdated method and most browser now reccommnd using CSP. But even with the X-Frame-Option set my site can still be put in an iframe.
This got me thinking do I need to put the CSP through CloudFlare, if is possible. If I put it in my config file will this cause an issue with the X-Frame-Option and if it does how can I turn it off.
My knowledge is limited in this topic so if possible please advice. I know that the CSP works as I tested it somewhere else and it escapes from iframes not set by a verified source.