Nginx as reverse Proxy, remove X-Frame-Options header

Jonathan Matthews contact at
Thu Jan 9 12:12:09 UTC 2014

On 9 January 2014 11:57, Maxim Dounin <mdounin at> wrote:
> Hello!
> On Thu, Jan 09, 2014 at 10:21:43AM +0000, Jonathan Matthews wrote:
>> On 9 January 2014 10:03, basti <black.fledermaus at> wrote:
>> > Hello,
>> >
>> > I have a closed-source Webapp that run on an IIS-Webserver and send a
>> > "X-Frame-Options: SAMEORIGIN" header.
>> > I also have to implement this Webapp in my own, Frame based Application.
>> >
>> > So I try to use nginx as a reverse Proxy, but the X-Frame-Options Header
>> > is still send.
>> > How can I remove his header?
>> > I have try "proxy_hide_header X-Frame-Options;" without success.
>> You'll find the answer in the documentation:
> The X-Frame-Options header is returned by a server-side
> application, hence the proxy_hide_header is correct solution,
> while proxy_set_header isn't.

My bad. I was pretty sure I'd had success with 'set foo ""' where
'hide' hadn't worked in the past.

> And, being pedantic, wiki != documentation.  Here are
> links to the documentation:

Ack that. I'll personally keep linking to the wiki until the documentation

* is significantly better internally hyper-linked;
* has documentation targeted soley towards the open source nginx,
without having to skip to the end of each directive to check for "This
functionality is available as part of our commercial subscription
* has useful pages such as IfIsEvil integrated into it.

I may be wrong about that third one still needing doing, but I
couldn't find IfIsEvil anywhere but the wiki. The presence of a
top-level pointer on each wiki page to is
pretty useless, too - it needs to point to the appropriate place in
the docs to get people to start using them.

Didn't you guys pick up several millions a while ago, which was
announced as being somewhat earmarked for improving documentation? :-)


More information about the nginx mailing list