Hello Team,
Environment: Oracle APEX on OCI
Version: 24.2.6
DB: ADW
I am implementing some security recommendations before releasing my app to the public.
I've set the app security for “Embed in Frames” (Shared Components → Security Attributes) to “Allow from same origin”
To test it, I am running the following command,
curl -I https://*****.adb.us-phoenix-1.oraclecloudapps.com/ords/r/***/***/login-otp |grep -i fram
I expect to see any reference to “X-Frame-Options” but unfortunately, I see none. However, if I am adding it to “HTTP Response Headers” then I can see it.
HTTP Response Headers:
X-Frame-Options: SAMEORIGIN
curl -I https://*****.adb.us-phoenix-1.oraclecloudapps.com/ords/r/***/***/login-otp |grep -i fram
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
X-Frame-Options: SAMEORIGIN
Therefore, I am assuming that the actual setting of “Embed in Frames” is not working, especially after reviewing the on-screen help for “HTTP Response Headers” which says
Enter additional application specific HTTP headers that Oracle APEX should send on each response and that it does not support in another way (for example, X-Frame-Options using the Embed in Frames attribute).
What am I doing wrong?
Thanks,
Lior