XFrame headers seem to be stripped by cloudflare


From our origin server we are sending back - X-Frame-Options SAMEORIGIN. However, when it goes through cloudflare this is removed from the response. Note that this is on a favicon.png file. Any thoughts on why this is happening and what we can do to resolve?

UPDATE: It appears that the header is not suppressed on html files, but is on js and png files.


I add the x-frame-options header (sameorigin) in my .htaccess file on my Apache server. They are not being suppressed in any of the filetypes: js css png html woff2 ico

I only checked this in Firefox, so at least I know something works.

Do you know the cache status of all those filetypes? I don’t know what setting would interfere with this.