aaP_me12 Nginx, out of the box, appears to be setting two x-frame-options, and a poorly configured x-xss-protection header. These aren't coming from Cloudflare, nor are they set in nginx.conf or domain.ext.conf. Any help appreciated.
aaPanel_Kern aaP_me12 Hi, do you have detailed information? The nginx configuration of aapanel does not specifically do these configurations.
aaP_me12 aaPanel_Kern DNS is fronted through Cloudflare, although is on bypass right now while I debug this issue You can see the headers in the screenshot.
aaP_me12 aaPanel_Kern I don't know what you mean by a 'website speed plugin', I already stated this was an out-of-the-box setup. While your screenshot shows no second X-Frame-Options header, it does show a poorly configured X-XSS-Protection header. Where is that header being set?
aaP_me12 For future reference, the problematic group of headers is being set in nginx/conf/enable-php-74-wpfastcgi.conf
aaP_me12 aaPanel_Kern You guys should fix that. If it's setting headers, fine, but it should be documented because you can't properly harden the server without changing those records.
aaPanel_Kern aaP_me12 This problem is not reproduced, and enabling X-XSS-Protection at the same time helps security X-XSS-Protection: 1; mode=block Enable XSS filtering. If an attack is detected, the browser will not clear the page, but will prevent the page from loading.
aaP_me12 aaPanel_Kern It should be X-XSS-Protection: 0; by default - you can't trust the browser's filtering mechanisms.