How to use a Bitnami Wordpress site to embed H5P into a Bitnami Moodle site for use with Moodle Mobile

Keywords: Moodle - Amazon Web Services - How to - Permissions
This is a bit of a workaround to get this working and may become redundant with the new M3.5 release and upgrade of the base used for the M3.5 Mobile app.

Setup your Bitnami WP site
Load in your H5P activities.

You will then find when you go to iframe these in to your moodle site you are going to come up against this next problem.


Refused to display ‘’ in a frame because it set ‘X-Frame-Options’ to ‘SAMEORIGIN’.

You will then need to access the httpd.conf file and comment out.

Header always setifempty X-Frame-Options SAMEORIGIN

to this…

#       Header always setifempty X-Frame-Options SAMEORIGIN**


Header always merge X-Frame-Options SAMEORIGIN

To this…

#       Header always merge X-Frame-Options SAMEORIGIN**

The main Apache configuration file is located at /opt/bitnami/apache2/conf/httpd.conf.

Goes without saying…restart apache

sudo /opt/bitnami/ restart apache

This comes from the following conversations on using H5P on the Moodle Mobile app. So if you want the best of both worlds, this is a work around.

Probably for the Bitnami crew, the question I have is…
How much of a security risk is this ?
and is there a better way to do it?

As a note before you do this, understand why it is set like this…'+to+'sameorigin'.&oq=X-Frame-Options'+to+'sameorigin'.&aqs=chrome..69i57j0l5.1965j0j8&sourceid=chrome&ie=UTF-8


Hi @advancedcskills,

Thank you for sharing this information here.

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a frame, iframe or object. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

If the application needs to enable that header in HTTP, you can use the “ALLOW-FROM” option to allow different sites (,, yourIP, …)

Happy to help!

Was my answer helpful? Click on :heart:

1 Like

Thanks for that.
Given me the information I needed.

So basically as we know the Moodle site we will stream to, we can lock down the xframe ability to just that site address via the httpd.conf file…

Will set it up and report back on any problems if any.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.