setting headers - X-Frame-Options
924 views
Skip to first unread message
Rajesh Gupta
Aug 29, 2019, 7:05:27 AM8/29/19
to google-a...@googlegroups.com
Hi,
I am trying to set X-frame-options headers.
I added the following in the appengine-web.xml
<include path="/**.html" >
<!-- Refer to clickjacking. QuickBooks security review email on Aug 28 2019 -->
<http-header name="X-FRAME-OPTIONS"
value="DENY SAMEORIGIN" />
<http-header name="Content-Security-Policy"
value="frame-ancestors 'none'" />
</include>
<!-- Refer to clickjacking. QuickBooks security review email on Aug 28 2019 -->
<http-header name="X-FRAME-OPTIONS"
value="DENY SAMEORIGIN" />
<http-header name="Content-Security-Policy"
value="frame-ancestors 'none'" />
</include>
It is all fine, except for one case.
For example, if I am running local and type
http://localhost:8888 : Then the headers are not added to the response
However, http://localhost:8888/index.html, the headers are added to the response
How can I add the headers in the response for the case 'http://localhost:8888'
Rajesh Gupta
Aug 31, 2019, 2:40:48 AM8/31/19
to google-a...@googlegroups.com
Sam (Google Cloud Support)
Sep 4, 2019, 3:43:50 PM9/4/19
to Google App Engine
Hi,
As far as I know, our public doc doesn't make any reference for X-Frame-Options [1]. Also this might not be something App Engine allows on thee client side per this StackExchange answer [2]. But from my research I see that this is the syntax for setting the header in the `appengine-web.xml` file:
<include path=”url”>
<http-header name=”X-Frame-Options” value=”SAMEORIGIN”/>
</include>
For further concerns like adding the headers in the response for the case 'http://localhost:8888' I would recommend seeking coding assistance on www.stackoverflow.com or any other similar forum.
Reply all
Reply to author
Forward
0 new messages