How to disable the X-FRAME-OPTIONS response header

The X-Frame-Options HTTP response header can be used to indicate whether a browser should be allowed to render a page or not. The header declares the framing policy with values DENY (will prevent any framing), SAMEORIGIN (will prevent framing by external sites), or ALLOW-FROM origin (will allow framing only by the specified site). Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Airlock WAF also provides this HTTP response header to the client to increase the frame security. Per default the value is set to following: X-FRAME-OPTIONS: SAMEORIGIN

It is possible to globally enable/disable the X-Frame-Options action in the Configuration Center under Application Firewall > Default Action and/or overwrite this setting on mappings if desired.

To disable the action on the Mapping do the following:

• Login to the Configuration Center and go to the corresponding Mapping. Select tab Response Action.
• Disable the action "(default) Add X-Frame-Options header"
• Activate the new configuration.

To change the action on the Mapping do the following:

• Login to the Configuration Center and go to the corresponding Mapping. Select tab Response Action.
• Click on the icon  on the right side of "(default) Add X-Frame-Options header" action.
• Now, under Custom Action a copy of this action should be available.
• Rename it to for example "(customized) Add X-Frame-Options header"
• Edit the Header Value as prefered.
• Make sure the default action is disabled and the customized action is enabled.
• Activate the new configuration.