Nothing will unset X-Frame-Options (Apache, PHP 5.3)

Question

I\'m trying to implement an embeddable widget, functioning similar to a Twitter embedded tweet. The simplest solution, though maybe not the best, appears to be an iframe or

Answer 1

X-Frame-Options was forced in by ssl.conf.

Commenting out and restarting Apache allowed .htaccess and PHP header management to work again.

Answer 2

Just in case if you want to modify this in .htaccess this will be the way:

Header always unset X-Frame-Options env=HTTPS;

Answer 3

I had the same problem, and I solved writing this in httpd.conf

Header append X-Frame-Options ALLOWALL

also I had to configured the header module to be loaded, in order to apache to understand this directive. Then you must restart httpd.

Answer 4

Consider the following experiment:

Header always set X-Frame-Options "DENY"
Header unset X-Frame-Options
Header set set X-Frame-Options "TEST"

response headers:

X-Frame-Options "DENY"
X-Frame-Options "TEST"

Second experiment:

Header set X-Frame-Options "DENY"
Header unset X-Frame-Options
Header set set X-Frame-Options "TEST"

response headers:

X-Frame-Options "TEST"

Conclusion: the always option blocks the original value from being unset, however it doesn't block from adding a new value.