Move X_FRAME_OPTIONS setting from cors to security section (#30256)

## Summary - Move `cors.X_FRAME_OPTIONS` to `security.X_FRAME_OPTIONS` (old location still works with a deprecation warning) - Support `"unset"` as a special value to remove the `X-Frame-Options` header entirely - Remove `X-Frame-Options` header from API responses (only set for web/HTML responses) ## Migration If you had customized `cors.X_FRAME_OPTIONS`, move it to the `[security]` section. The old location is deprecated and will be removed in a future release. --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-03-20 03:40:27 +00:00 · 2026-02-22 21:26:46 +01:00
parent fed2d81e88
commit 5f8e19fcef
6 changed files with 27 additions and 13 deletions
--- a/custom/conf/app.example.ini
+++ b/custom/conf/app.example.ini
@@ -521,6 +521,9 @@ INTERNAL_TOKEN =
 ;; Set the two-factor auth behavior.
 ;; Set to "enforced", to force users to enroll into Two-Factor Authentication, users without 2FA have no access to repositories via API or web.
 ;TWO_FACTOR_AUTH =
+;;
+;; The value of the X-Frame-Options HTTP header for HTML responses. Use "unset" to remove the header.
+;X_FRAME_OPTIONS = SAMEORIGIN

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -1290,9 +1293,6 @@ LEVEL = Info
 ;;
 ;; headers to permit
 ;HEADERS = Content-Type,User-Agent
-;;
-;; set X-FRAME-OPTIONS header
-;X_FRAME_OPTIONS = SAMEORIGIN

 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;