Cloudflare doesn't respect servers X-Frame-Options header

webadmin · January 18, 2023, 9:25am

Does the cloudfare dashboard let you set X-Frame-Options? Without a worker?

Because Cloudflare doesn’t take into account the headers I have set on my server, because Cloudflare is serving my site. So when I run curl domain.com -v, cloudflares responses comes through, not my server.

azim1 · January 18, 2023, 7:32pm

Im facing the same issue, even though i’ve configured my app to use SAMEORIGIN, it uses DENY instead

webadmin · January 19, 2023, 4:26am

Anyone got any ideas?

cristi10 · February 2, 2023, 4:06pm

Under Rules > Transform Rules > Modify Response Header, try creating a rule:

with Custom filter expression (http.host eq "your-website.com")
Set static X-Frame-Options =

cc @azim1

Topic		Replies	Views
Cloudflare with nginx stripping security headers Security	3	3665	April 25, 2019
Cloudflare stripping X-Frame-Options? Security	1	2900	October 3, 2021
Cloudflare added header x-frame-options General	2	16495	May 6, 2019
X-frame-options not working using workers Workers	7	4173	January 27, 2021
XFrame headers seem to be stripped by cloudflare General	3	5683	June 18, 2021

Cloudflare doesn't respect servers X-Frame-Options header

Related topics