I've found many answers on how to remove X-Frame-Options SAMEORIGIN, but I've been unable to find a correct answer for how to add it.
The app is on Heroku and is running under Rails 2.3.15 (nginx). I don't think it is a Sinatra app (I say this only because there is no config.ru. A friend built the app for me and he's unable to help out now, so I'm not positive.)
I tried adding the following to /app/controllers/application_controller.rb but it just made every page return a 503:
config.action_dispatch.default_headers = {
'X-Frame-Options' => 'SAMEORIGIN' }
When that failed I tried this syntax instead, in the same file:
def set_x_frame_options
response.headers["X-Frame-Options"] = "SAMEORIGIN"
end
That doesn't seem to break anything, but there are also no new http headers added.
As you may be able to tell, I barely know what I'm talking about here, so please feel free to talk to me like I'm a n00b in your answer. :-)
-=-=- edit -=-=-=-
Figured it out myself for adding http header for pages served from the app itself.
Added this to /app/controllers/application_controller.rb :
before_filter :default_headers
def default_headers
headers['X-Frame-Options'] = 'SAMEORIGIN'
end
Still not sure how to add it to a few pages I have outsite the app, in /public/, so pointers welcome on that front.