Here’s the right way to configure, enable/disable “X-Frame-Options => SAMEORIGIN” and other server hardening headers on RunCloud — hope this helps.
RunCloud.io — the SaaS based PHP cloud server and web hosting control panel has automated certain server hardening techniques.
In this case, enabled the “X-Frame-Options => SAMEORIGIN” header by default. Which prevents clickjacking attacks, or placing websites and their content within iframes, from a domain with a different origin than the iframe itself.
You can easily disable this in the RunCloud server manager;
Navigate to your server, and the web application of your choice.
Simply uncheck the “Clickjacking Protection” button under “Settings”.
This is how the headers changed for me.
With “Clickjacking Protection” enabled;
HTTP/1.1 200 OK =>
Server => nginx-rc
Date => Wed, 11 Jul 2018 14:37:51 GMT
Content-Type => text/html; charset=utf-8
Connection => close
Vary => Accept-Encoding
Expires => Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control => no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma => no-cache
Set-Cookie => c5942f215897cee787d98eae996db2ca=hqrr7f3ub3044jas36gncjk5ea; path=/; secure; HttpOnly
Last-Modified => Wed, 11 Jul 2018 14:37:51 GMT
X-Frame-Options => SAMEORIGIN
X-XSS-Protection => 1; mode=block
X-Content-Type-Options => nosniff
With “Clickjacking Protection” disabled;
HTTP/1.1 200 OK =>
Server => nginx-rc
Date => Wed, 11 Jul 2018 14:37:07 GMT
Content-Type => text/html; charset=utf-8
Connection => close
Vary => Accept-Encoding
Expires => Wed, 17 Aug 2005 00:00:00 GMT
Cache-Control => no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma => no-cache
Set-Cookie => c5942f215897cee787d98eae996db2ca=i6v9pvmbbe3hhdsqslljnp4bpi; path=/; secure; HttpOnly
Last-Modified => Wed, 11 Jul 2018 14:37:07 GMT
X-XSS-Protection => 1; mode=block
X-Content-Type-Options => nosniff
And that’s it. No need to configure anything manually as usual.
Questions about server hardening of RunCloud?
Please, place your thoughts below.
Thank you for your visit, David.