x_frame_options setting not working

[EdsonGomes]

Basically, the x_frame_options=sameorigin DirectAdmin setting is being ignored.
I tested in two different installations... same problem.

Only worked after I added the line directly into httpd.conf:

Header always set X-Frame-Options "SAMEORIGIN"

Am i doing something wrong?

PS: I'm new here, I hope didn't send this post to the wrong place.

 

[zEitEr]

Hello,

Do you use Apache only? Or Nginx+Apache probably?

p.s. It is completely wrong to edit httpd.conf directly

 

[EdsonGomes]

Apache only in both servers that I tried.

Yeah, I know editing httpd.conf was not the proper way, but it was a quick way to "close the gate" until I sort it out DirectAdmin settings correctly.

 

[zEitEr]

I did not find any documentation on the matter, so I went further in testing and debugging. I found the mentioned option is valid only for Directadmin requests/responses. It changes the header sent by DirectAdmin only. It does not effect anything in Apache/Nginx/LiteSpeed/OpenLiteSpeed.

Try

# da config-set x_frame_options deny --restart

open a directadmin page and see headers.

Try then:

# da config-set x_frame_options sameorigin --restart

open a directadmin page and see headers.

Am i doing something wrong?

 

[EdsonGomes]

Right.
So, taking under the consideration the documentation:

Version 1.57.2 | Directadmin Docs

DirectAdmin Knowledge Base

docs.directadmin.com

"which adds header to all requests:"

Is this a bug or only bad documentation?

 

[zEitEr]

I shared my findings. The rest is up to you

 

[EdsonGomes]

What is the proper channel to report a bug directly to the DirectAdmin team?
Do you have this information?

I appreciate. Thanks and have a good week.

 

[zEitEr]

What is the proper channel to report a bug directly to the DirectAdmin team?

Both these forums and a ticket system can be used for it. You might tag a directadmin team member here, if you want them to join the discussion

 

[EdsonGomes]

Both these forums and a ticket system can be used for it. You might tag a directadmin team member here, if you want them to join the discussion

Thank you.

Now, let me see if I can do this right: @directadmin-support.2 can you please help me to verify this possible bug?

 

[fln]

This configuration option controls the x-frame-options header on the DirectAdmin web service (running on port 2222 by default), not the main webserver that is responsible for serving user websites (running on 80 or 443 port by default). The option seem to work as expected:

# curl -s -o /dev/null -v -k https://localhost:2222 2>&1 | grep x-frame-options
< x-frame-options: sameorigin
# da config-set x_frame_options deny --restart
# curl -s -o /dev/null -v -k https://localhost:2222 2>&1 | grep x-frame-options
< x-frame-options: deny

 

[EdsonGomes]

This configuration option controls the x-frame-options header on the DirectAdmin web service (running on port 2222 by default), not the main webserver that is responsible for serving user websites (running on 80 or 443 port by default). The option seem to work as expected:

# curl -s -o /dev/null -v -k https://localhost:2222 2>&1 | grep x-frame-options
< x-frame-options: sameorigin
# da config-set x_frame_options deny --restart
# curl -s -o /dev/null -v -k https://localhost:2222 2>&1 | grep x-frame-options
< x-frame-options: deny

Ok.
It's just really strange to me that DirectAdmin has a directive to "manage itself", and not the web server he is installed to manage.
Would be like DirectAdmin installing a security certificate only for itself, and not for the user websites the server is hosting.

But, maybe I'm wrong. It's not my intention to antagonize.
Anyway, I appreciate the reply, thank you!

 

[zEitEr]

The HTTP X-Frame-Options response header can be used to indicate whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

What has it to do with certificates?

 

[EdsonGomes]

What has it to do with certificates?

I was making a comparative between two different scenarios involving a control panel's directives.

You can substitute the security certificate example that I used to any other directive from the control panel that controls only itself, and not the server its managing. For me, it doesn't makes sense, that's all.

 

[zEitEr]

You will be probably surprised to see how many other options has DirectAdmin that manage the control panel itself.

 

[EdsonGomes]

You will be probably surprised to see how many other options has DirectAdmin that manage the control panel itself.

Probably. Thank you.

 

[zEitEr]

As for the option "x-frame-options" for a webserver which handles requests to hosted web-sites, there is no much sense to have this option managed globally. Some sites might want to have a different value for "x-frame-options", other than the global one.

For Apache you can


1. create /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.post
2. and add the following content in /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.post:

Header always set X-Frame-Options "|X_FRAME_OPTIONS|"

3. create /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.pre
4. and add the following content in /usr/local/directadmin/data/templates/custom/cust_httpd.CUSTOM.pre:

|?X_FRAME_OPTIONS=SAMEORIGIN|

and run

da build rewrite_confs

Then if you want to change the option for a domain you can do it on a DirectAdmin customize httpd.conf page at admin level.