XFrame headers seem to be stripped by cloudflare

From our origin server we are sending back - X-Frame-Options SAMEORIGIN. However, when it goes through Cloudflare this is removed from the response. Note that this is on a favicon.png file. Any thoughts on why this is happening and what we can do to resolve?

UPDATE: It appears that the header is not suppressed on html files, but is on js and png files.

1 Like

I add the x-frame-options header (sameorigin) in my .htaccess file on my Apache server. They are not being suppressed in any of the filetypes: js css png html woff2 ico

I only checked this in Firefox, so at least I know something works.

Do you know the cache status of all those filetypes? I don’t know what setting would interfere with this.

I am experiencing the same problem. The following snippet is in my .htaccess file. It works fine on a non-Cloudflare site, fails with Cloudflare:

Header always append X-Frame-Options “SAMEORIGIN”
Header always append X-XSS-Protection “1;mode=block”

(tested on https://observatory.mozilla.org/)

1 Like