X-Frame-Options: Nginx includes header twice

Some Developer someukdeveloper at gmail.com
Mon Jan 27 02:49:25 UTC 2014

On 25/01/2014 07:51, wishmaster wrote:
>   --- Original message ---
>   From: "Some Developer" <someukdeveloper at gmail.com>
>   Date: 25 January 2014, 06:04:10
>> I'm running Nginx 1.4.4 on Ubuntu 12.04 and have added the X-Frame-Options header for one of my sites but in testing it appears that Nginx includes this itself in addition to user configured headers. Basically I want X-Frame-Options to be DENY but when I set that header Nginx also sends an X-Frame-Options SAMEORIGIN header so that there are two X-Frame-Options headers in every request.
>> Is there some way to disable the extra header? I can't find anything in my configuration that would add the second header.
>   May by this is the header, has been set by your php-application?
>   You can remove this with help of module http://wiki.nginx.org/HttpHeadersMoreModule
I don't actually use PHP but your response lead me to an answer. 
Apparently Django sets some headers so it looks like I need to disable 
it there. Thanks!

Seems a bit strange to me that an application framework sets HTTP 
headers. Surely this should be left to the HTTP server? What are other 
peoples opinions on this?

More information about the nginx mailing list