Unset / allowall "X-Frame-Options" in cPanel without using ssh?

2Pro4u

Member
Jan 17, 2017
18
0
1
Earth
cPanel Access Level
Root Administrator
This new setting, which I believe cpanel has enforced in one of my recent cpanel updates to only the origin domain, needs to be changed on my server.

I can see that there is a cpanel option called "Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd", but this notes that it sets the "X-Frame-Options" to "SAMEORIGIN". I need it either unset or set to ALLOWALL or the equivalent.

I've attempted to follow this guide: jamesmaurer.com/enable-or-disable-x-frame-option-sameorigin.asp

and tried both "all versions" of apache, and the specific version option. Restarted Apache through all the testing, and nothing worked.

Is there any other option available to me, while staying inside cpanel GUI or .htaccess, or will I need to contact my support provider to do this via SSH command line?

If possible, I'd like to be able to set it on a per-site basis.
 
Last edited by a moderator:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @2Pro4u,

The link you referenced is for Apache, and the setting you referenced is for cpsrvd (e.g. cPanel, WHM, Webmail).

Are you attempting to modify the cpsrvd setting? If so, the following option is available under the Security tab in WHM >> Tweak Settings:

Use X-Frame-Options and X-Content-Type-Options headers with cpsrvd

It defaults to OFF and per it's description:

Use the X-Frame-Options HTTP response header to indicate whether a browser can render a page in a <frame>, <iframe> or <object> tag. This allows websites to ensure that their contents are not embedded into other sites, to avoid clickjacking attacks.
The server uses the X-Content-Type-Options response HTTP header to indicate that the MIME types in the Content-Type headers should not be changed or followed.
When you enable this option, the system adds the X-Frame-Options header, with a value of SAMEORIGIN, and the X-Content-Type-Options header, with a value of nosniff, to cpsrvd responses.
If you wanted to modify this setting via the command line, you'd use the following command:

Code:
whmapi1 set_tweaksetting key=xframecpsrvd value=1
"1" represents ON and "0" represents OFF.

Note you'd need root access to the server to change this setting. If you don't have root access, you'd need to inquire about this option with your web hosting provider.

Thank you.
 
  • Like
Reactions: Gino Viroli

2Pro4u

Member
Jan 17, 2017
18
0
1
Earth
cPanel Access Level
Root Administrator
The "X-Frame-Options and X-Content-Type-Options headers with cpsrvd" setting is currently off, but iframes are NOT working across domains. The description for the setting notes: "When you enable this option, the system adds the X-Frame-Options header, with a value of SAMEORIGIN"

We do not want SAMEORIGIN, we want all. The description, as far as my understanding, doesn't give any option for getting an "ALLOWALL" setting, it's only a radio button, on, and allow sameorigin, or off, and disallow all.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @2Pro4u,

but iframes are NOT working across domains.
To clarify, is this for the website content of these domain names, or are you referring to the cPanel, WHM, & Webmail interfaces? The option you see in WHM >> Tweak Settings applies to cpsrvd and does not apply to Apache. Thus, it does not affect the actual web pages for your domain names.

If you're looking to change that setting for your websites, you'd need to follow the instructions on a thread like this:

SOLVED - htaccess Header Set doesn't set

Let me know if that helps.

Thank you.
 

2Pro4u

Member
Jan 17, 2017
18
0
1
Earth
cPanel Access Level
Root Administrator
I don't understand a lot of what's being talked about in that thread, and it seems like it actually not what I need. Basically, I just want my server to support iframes across domains, and the setting to not be overwritten when I update cpanel.

What do I need to change to accomplish this, since someone along the chain of backend web softwares (cpanel,nginx,apache,cloudlinux) has pretty much broken the iframe tag from working completely, without some minuscule server setting change.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
Hello @2Pro4u,

You mentioned using Nginx. This software is not supported with cPanel & WHM. Can you let us know the specific plugin you used to install Nginx so we can check to see if this is a known issue with the third-party plugin you are using?

Thank you.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,228
463
cPnginx Version 10.13
Hello @2Pro4u,

Can you temporarily disable Nginx and enable Apache to help determine if your Nginx configuration is the culprit? Or, consider reaching out to the support team of the Nginx application you are using to see if there's a specific configuration change you should make.

Thank you.