Header Exception

I need to set X-Frame-Options for my entire site, but allow it for one file. How do I do this?

The path wildcards only allow *, no negation.
I could override the header for the one path, but I need the header to not be sent at all, so I can’t set any value for the header.

Nothing in the docs helps.

Hi Brendan,

Thanks for reaching out.

You’re correct, the Static Site Headers don’t currently provide any way to negate rules, please feel free to add this as a feature request on our feedback site so it can be reviewed by other customers and our team.

If you have a small/manageable number of pages, maybe you could add the page header individually? If that’s not practical, for now you may need to consider using as Web Service to have more control over the headers the app serves.

Please let us know if we can assist any further.

Kind regards

Alan

If you have a small/manageable number of pages, maybe you could add the page header individually?

I do indeed, as I noted in my original post:

allow it for one file

I also asked how to do this:

I could override the header for the one path, but I need the header to not be sent at all, so I can’t set any value for the header.

To put it differently, how can I “add the page individually” in a way that does not send the header for that path at all?

Apologies, I think a typo on my part may have confused matters:

If you have a small/manageable number of pages, maybe you could add the page header individually?

I missed an “s” from “headers”.

As we’ve both confirmed negating/removing isn’t currently possible. You wouldn’t be able to add the single page individually to remove the header if the wildcard covers it, you would only be able to override it to another value, which you noted doesn’t meet your requirements.

You could add individual paths as per the docs, I’m not sure of your path structure, but I double-checked the behavior on a personal test static site. It’s a contrived example with a simple static structure such as:

my-site/├─ about/│ ├─ index.html├─ contact/│ ├─ index.htmlindex.html

And the headers set to:

/about* -> X-MyHeader: 123/contact* -> X-MyHeader: 123

The following requests:

https://example.onrender.com/abouthttps://example.onrender.com/about/https://example.onrender.com/about/index.htmlhttps://example.onrender.com/contacthttps://example.onrender.com/contact/https://example.onrender.com/contact/index.html

All respond with x-myheader set to 123.

Whereas https://example.onrender.com/ doesn’t return a x-myheader at all.

It’s not certainly not the most elegant solution and not particularly practical if you have a large number of pages/paths.

Alternative solutions could include Cloudflare’s Transform Rules (if you use Cloudflare) or using a Web Service to control headers with your own app server.

Please let us know if we can assist any further.

Alan

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.