[solved] Set X-Frame-Options for Zammad to allow iframe

  • Used Zammad version: 2.8.x
  • Used Zammad installation source: (source, package, …) package APT
  • Operating system: Ubuntu 18.04


i want to display the User Login of our Zammad Server in our Joomla Intranet Website, so i added a iframe on a Joomla Site, but the Zammad Server refuses to display the Login because of ‘X-Frame-Options’ set to ‘sameorigin’. Where can i change that behavior?



No one any idea, where that X-Frame-Options sameorigin is comming from? When i add a line into nginx with add_header X-Frame-Options 'allow-from http://my.intra.net'; i can see that this option is added to the X-Frame-Options. I think this comes from Zammad it self.

1 Month now and no solution?

X-Frame-Options => “SAMEORIGIN” is a default security behaviour of Ruby on Rails.

Try looking into (versions may differ at your installation):

You can easily find there some security options which may solve your issues. You can just try to change “SAMEORIGIN” to “ALLOWALL”. Also you may need to play with XSS options.

1 Like

Perfectly solved my problem. Thank you!

Your welcome Dirk23.

Also Changed XSS Option to 0, dont know if needed, but now i can put it in a frame.

Be aware that this is a potential security issue. Software like Zammad can contain information crucial to your business so be careful with these options.

Yes, i know, but its only used in an Intranet.

Please mark this as Solved.

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.