I am trying to enable X-Frame-Options on my site. So I made a dot htaccess file in the root directory, containing “Header always set X-Frame-Options DENY”, uploaded it to the web host (it is there, I checked) and did a purge everything on Cloudflare.
18 hours later, Mozilla Observatory still reports X-Frame-Options is not enabled.
Where have I gone wrong?

It’s probably a syntax error. I set X-Frame-Options at my site and Cloudflare passes them through. Try Google to find out the correct syntax.

If you are on a shared hosting, or just try out with “quotes” and modify it to be like below and write us back with feedback upon successfull change and purging the cache:

Header append X-FRAME-OPTIONS "DENY"

I’m the only site on a VPS, but I’ll try your wording and post the result.

My bad. An editor was saving the file with an .htm extension, and it got uploaded all the way to cloudflare with the extension. I didn’t catch this until I viewed the directory. All fixed now.

FWIW, we used the commend recommended by the ISP hosting the origin server:
Header always set X-Frame-Options DENY


This topic was automatically closed after 30 days. New replies are no longer allowed.