8

I'm using Apache 2.2 and want to set the X-Frame-Options header to "deny" across most of the site. I can turn it on unconditionally using mod_headers. However, there is one CGI scripts that returns content that has to be framed, so I need to turn it off for that script. Is there a way to do this?

I'm using Debian's Apache 2.2.9.

user9876
  • 187
  • 1
  • 1
  • 8

2 Answers2

11

Try using the SetEnvIf directive, coupled with env in your Header directive:

SetEnvIf Request_URI "/MyCGI" is_cgi
Header set X-Frame-Options some-value env=!is_cgi

(or something close to that :-))

Matt Solnit
  • 913
  • 2
  • 11
  • 16
8

You can use the Location directive.

<Location /url/fragment/to/my/cgi/script>
  Header unset X-Frame-Options
</Location> 
Amandasaurus
  • 30,211
  • 62
  • 184
  • 246