Cover Image: Set default headers with Nginx
Photo by Carl Heyerdahl on Unsplash

Set default headers with Nginx

Tomas Norre • October 21, 2021


Working with web-development, one need to take HTTP Headers into consideration to. Not every web-application sets the headers that could help on security.

One of the headers is X-Frame-Option:

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites.


So How to set a Default with Nginx?

In you site-configuration in Nginx, you can do as follows:

map $upstream_http_x_frame_options $frame_option {

server {
    location ~ \.php$ {
        add_header X-Frame-Options $frame_option;

This is just a very simplified example with basic configuration missing, but I hope you get the point.

Just before the server declaration, you can use the map-function from nginx. This maps the value of $upstream_http_xframe_options to $frame_option, if the value is empty it's set to SAMEORIGIN.

This enables us in the add_header X-Frame-Options $frame_option; line to have either the header already set from the application, or the default, set by Nginx.

The application could be as simple a one PHP file

header('X-Frame-Options: DENY');
echo "Hello, World!";

With the PHP file setting the header to X-Frame-Options: DENY Nginx will let the header stay as is.


I believe that it's the responsibility of the application to set the correct Headers, but I think it can be helpful on server level to set a default, that catches potential security issues, if not set.

If you find any typos or incorrect information, please reach out on GitHub so that we can have the mistake corrected.