Overwrite X-Frame-Option on Ghost Site

I’m running a ghost site on DigitalOcean and need to update the X-Frame-Options that seemed automatically added. I run this command to browse through all files:

grep -ri "X-Frame-Options" /etc/nginx

and it turned out that the header was set only in ssl-params.conf. I tried to disable this by adding comment but no change reflected on the front-end. Is there other option to disable this header on my ghost site? I checked config.production.json also but couldn’t find the option.

It might sound simple, but did you reload the nginx config (sudo nginx -s reload)?

1 Like

I just wanted to confirm that sudo nginx -s reload was the solution.

I set up Ghost on Digital Ocean, and I set up my blog so that it would be proxied on my root domain (where everything is cached behind CloudFlare.) I also disabled access to the /blog/ghost path on my root domain, so that I could only access the /ghost admin interface on a separate subdomain. This caused problems, because the Ghost “site preview” feature was trying to load the site from my root domain in an iframe, while I was editing the site from a different subdomain. So I needed to remove the X-Frame-Options header. (A better solution would be if I could configure the “site preview” to load the site from a different domain. Even when the iframe issue is fixed, this is still a bit annoying because I have to purge the CloudFlare cache to see any updates.)

I also found the X-Frame-Options header in /etc/nginx/snippets/ssl-params.conf:

root@ghost-*****-01:/var/www/ghost# grep -ri "X-Frame-Options" /etc/nginx
/etc/nginx/snippets/ssl-params.conf:add_header X-Frame-Options SAMEORIGIN;

I edited this file and commented out the “add_header X-Frame-Options” line with a “#” character, like this:

add_header Strict-Transport-Security 'max-age=63072000; includeSubDomains; preload';
# add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;

Then I ran nginx -s reload. After that, the X-Frame-Options header was successfully removed from my responses:

$ curl -I https://mysite.com/blog
HTTP/2 301
server: nginx/1.14.0 (Ubuntu)
date: Sat, 16 May 2020 09:48:23 GMT
content-type: text/html
content-length: 194
location: https://mysite.com/blog
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-type-options: nosniff
2 Likes