Keywords: WordPress + NGINX + SSL - Google Cloud Platform - Technical issue - Other
bnsupport ID: b6dcce30-b6d4-db81-d244-3c45dbf78568
Looks like by default on the WordPress + NGINX + SSL deployment it has the X-Frame-Options header set to “SAMEORIGIN”, I assume to prevent clickjacking attacks.
I’m trying to allow iFrame embeds from a specific domain and it looks like he way to do that is with Content Security Policy (CSP) frame-ancestors (as described in this article: https://nginx.tutorials24x7.com/blog/how-to-secure-nginx-from-clickjack-attack-using-csp-frame-ancestors).
Am I correct in thinking I can add a line like
add_header Content-Security-Policy "frame-ancestors 'self' example1.com example2.com;"; to /opt/bitnami/nginx/conf/nginx.conf, restart NGINX and have this work?
Or does this need to go somewhere else?
I’m new to this stack and just trying to make sure I’m headed in the right direction to accomplish this. Any help/advice would be greatly appreciated!