Answer these questions to help the Community help you with Security questions.
What is the domain name?
duotify .com
Have you searched for an answer?
Yes
Please share your search results url:
https: //community .cloudflare .com/t/cf-adds-response-header-of-x-frame-options-sameorigin/555793
When you tested your domain, what were the results?
CF send X-Frame-Options for my site sometimes when my site embed into iframe on the other site.
I’m not enable Under Rules > Transform Rules > Managed Transform > Add security headers option.
Describe the issue you are having:
I want my site can be iframed so that I didn’t configure X-Frame-Options header. But CF seems send X-Frame-Options when my site been iframed on the other site.
What error message or number are you receiving?
Refused to display ‘https : // www. duotify. com/’ in a frame because it set ‘X-Frame-Options’ to ‘sameorigin’.
What steps have you taken to resolve the issue?
-
Under Rules > Transform Rules > Modify Response Header
-
Create a rule: Remove X-Frame-Options
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What are the steps to reproduce the error:
-
Go to
https: //gamma .app/public/Angular-vs-Vuejs--8isyyfmltpltxt3?mode=present#card-cwau2mqq2t4o32w -
Click the link
www. duotify. com( The homepage can be shown. The CF doesn’t send X-Frame-Options header at this time. ) -
Click any links on the page. It will be blocked by “X-Frame-Options: SAMEORIGIN” header. ( It because CF send X-Frame-Options header at this time. That’s what I can’t understand. )
Have you tried from another browser and/or incognito mode?
Yes. Firefox. Same issue.
Please attach a screenshot of the error:
