Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Unset / allowall "X-Frame-Options" in cPanel without using ssh?

Discussion in 'General Discussion' started by 2Pro4u, May 29, 2018.

  1. 2Pro4u

    2Pro4u Member

    Joined:
    Jan 17, 2017
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    This new setting, which I believe cpanel has enforced in one of my recent cpanel updates to only the origin domain, needs to be changed on my server.

    I can see that there is a cpanel option called "Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd", but this notes that it sets the "X-Frame-Options" to "SAMEORIGIN". I need it either unset or set to ALLOWALL or the equivalent.

    I've attempted to follow this guide: jamesmaurer.com/enable-or-disable-x-frame-option-sameorigin.asp

    and tried both "all versions" of apache, and the specific version option. Restarted Apache through all the testing, and nothing worked.

    Is there any other option available to me, while staying inside cpanel GUI or .htaccess, or will I need to contact my support provider to do this via SSH command line?

    If possible, I'd like to be able to set it on a per-site basis.
     
    #1 2Pro4u, May 29, 2018
    Last edited by a moderator: May 29, 2018
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @2Pro4u,

    The link you referenced is for Apache, and the setting you referenced is for cpsrvd (e.g. cPanel, WHM, Webmail).

    Are you attempting to modify the cpsrvd setting? If so, the following option is available under the Security tab in WHM >> Tweak Settings:

    Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd

    It defaults to OFF and per it's description:

    If you wanted to modify this setting via the command line, you'd use the following command:

    Code:
    whmapi1 set_tweaksetting key=xframecpsrvd value=1
    "1" represents ON and "0" represents OFF.

    Note you'd need root access to the server to change this setting. If you don't have root access, you'd need to inquire about this option with your web hosting provider.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. 2Pro4u

    2Pro4u Member

    Joined:
    Jan 17, 2017
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    The "X-Frame-Options and X-Content-Type-Options headers with cpsrvd" setting is currently off, but iframes are NOT working across domains. The description for the setting notes: "When you enable this option, the system adds the X-Frame-Options header, with a value of SAMEORIGIN"

    We do not want SAMEORIGIN, we want all. The description, as far as my understanding, doesn't give any option for getting an "ALLOWALL" setting, it's only a radio button, on, and allow sameorigin, or off, and disallow all.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @2Pro4u,

    To clarify, is this for the website content of these domain names, or are you referring to the cPanel, WHM, & Webmail interfaces? The option you see in WHM >> Tweak Settings applies to cpsrvd and does not apply to Apache. Thus, it does not affect the actual web pages for your domain names.

    If you're looking to change that setting for your websites, you'd need to follow the instructions on a thread like this:

    SOLVED - htaccess Header Set doesn't set

    Let me know if that helps.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. 2Pro4u

    2Pro4u Member

    Joined:
    Jan 17, 2017
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    I don't understand a lot of what's being talked about in that thread, and it seems like it actually not what I need. Basically, I just want my server to support iframes across domains, and the setting to not be overwritten when I update cpanel.

    What do I need to change to accomplish this, since someone along the chain of backend web softwares (cpanel,nginx,apache,cloudlinux) has pretty much broken the iframe tag from working completely, without some minuscule server setting change.
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @2Pro4u,

    You mentioned using Nginx. This software is not supported with cPanel & WHM. Can you let us know the specific plugin you used to install Nginx so we can check to see if this is a known issue with the third-party plugin you are using?

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  7. 2Pro4u

    2Pro4u Member

    Joined:
    Jan 17, 2017
    Messages:
    13
    Likes Received:
    0
    Trophy Points:
    1
    Location:
    Earth
    cPanel Access Level:
    Root Administrator
    cPnginx Version 10.13
     
  8. cPanelMichael

    cPanelMichael Technical Support Community Manager
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    44,803
    Likes Received:
    1,898
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @2Pro4u,

    Can you temporarily disable Nginx and enable Apache to help determine if your Nginx configuration is the culprit? Or, consider reaching out to the support team of the Nginx application you are using to see if there's a specific configuration change you should make.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice