Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Can't seem to disable frameguard on specific route

See original GitHub issue

I have helmet configured like this:

const app = express()

app.use(helmet())
// ...
app.use('/specificRoute', helmet.frameguard(false), (req, res) => { /* ... */ })

I also tried using helmet({ frameguard: false }) but had the same result - I still get the X-Frame-Options: SAMEORIGIN header.

Issue Analytics

  • State:closed
  • Created 6 years ago
  • Reactions:4
  • Comments:7 (4 by maintainers)

github_iconTop GitHub Comments

8reactions
EvanHahncommented, Nov 9, 2017

app.use(helmet()) sets the X-Frame-Options header, and Helmet doesn’t have any mechanisms for undoing these headers. You could do something like this:

const app = express()

app.use(helmet())

function removeFrameguard (req, res, next) {
  req.removeHeader('X-Frame-Options')
  next()
}

app.use('/specificRoute', removeFrameguard, (req, res) => { /* ... */ })

Does that help?

7reactions
Billy-commented, Nov 9, 2017

I think you meant res.removeHeader rather than req.removeHeader 😉

Conditional middleware in Express seems uncommon enough that it’s not worth baking into the library. It seems like something that needs to be handled at the Express level—either built into Express or as a more general plugin. Does that make sense?

No, not really sure why you would say that, but maybe I’m missing something?

Disabling further down the line seems like a perfectly valid use-case; turn it on as a blanket-statement, then turn it off only as an exception. Shouldn’t be too hard to check if action === false in frameguard and if so res.removeHeader('X-Frame-Options').

Read more comments on GitHub >

github_iconTop Results From Across the Web

Is it possible to disable/remove a middleware for specific route ...
I want to disable a specific middleware, which I've set up ... And then I want to remove that bodyParser() for a specific...
Read more >
Production Best Practices: Security - Express.js
This helps enforce secure (HTTPS) connections to the server. helmet.frameguard which sets the X-Frame-Options header. This provides clickjacking protection.
Read more >
Bikepacker's Guide to Bike Frame Protection
There are some simple bike frame protection steps you can take to protect your bike from bikepacking bags and general wear and tear....
Read more >
Laracasts Forum
Hi all, Sorry but I can't seem to understand how updateOrCreate works. ... How to disable FrameGuard middleware on specific routes or globally....
Read more >
7 Protective Frame Tapes Ridden & Rated - Pinkbike
AMS large frame guard kit ... That can't be avoided unless you peel them off before applying the film. ... I went the...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Safe to disable X-FRAME-OPTIONS for Content Security Policy?

Next page

report-to