For some browsers the X-Frame-Options header is not sufficient, you will need the Content-Security-Policy header.
Two options:
- Use the advanced tab. Add something like the following:
location / {
# Force SSL
include conf.d/include/force-ssl.conf;
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000;includeSubDomains; preload" always;
add_header X-Frame-Options "ALLOW-FROM www.domain.com";
add_header Content-Security-Policy "frame-ancestors www.domain.com";
# Proxy!
include conf.d/include/proxy.conf;
}
This however prevents you from using the toggles with HSTS and such on the main page and ssl page, so you would have to add those headers manually, as is already included in the above snippet.
- Add a custom location for this, where you repeat hostname and port of where you want to redirect, click on the cog and add the
add_headercommands there. However this also prevents the toggle values from being used, as in 1., so make sure you add every header you need (e.g.HSTS) as in 1.
