I need to set X-Frame-Options for my entire site, but allow it for one file. How do I do this?
The path wildcards only allow *, no negation.
I could override the header for the one path, but I need the header to not be sent at all, so I can’t set any value for the header.
You’re correct, the Static Site Headers don’t currently provide any way to negate rules, please feel free to add this as a feature request on our feedback site so it can be reviewed by other customers and our team.
If you have a small/manageable number of pages, maybe you could add the page header individually? If that’s not practical, for now you may need to consider using as Web Service to have more control over the headers the app serves.
Apologies, I think a typo on my part may have confused matters:
If you have a small/manageable number of pages, maybe you could add the page header individually?
I missed an “s” from “headers”.
As we’ve both confirmed negating/removing isn’t currently possible. You wouldn’t be able to add the single page individually to remove the header if the wildcard covers it, you would only be able to override it to another value, which you noted doesn’t meet your requirements.
You could add individual paths as per the docs, I’m not sure of your path structure, but I double-checked the behavior on a personal test static site. It’s a contrived example with a simple static structure such as:
Whereas https://example.onrender.com/ doesn’t return a x-myheader at all.
It’s not certainly not the most elegant solution and not particularly practical if you have a large number of pages/paths.
Alternative solutions could include Cloudflare’s Transform Rules (if you use Cloudflare) or using a Web Service to control headers with your own app server.