From 44c6a0fa206461c20692c00f96f891f6e89723e1 Mon Sep 17 00:00:00 2001 From: silverwind Date: Sun, 22 Feb 2026 20:27:19 +0000 Subject: [PATCH] Move `X_FRAME_OPTIONS` from `cors` to `security` section (#349) ## Summary - Move `X_FRAME_OPTIONS` setting from `[cors]` to `[security]` section in the config cheat sheet - Document the new `unset` value option and clarify the header applies to web responses only Ref: https://github.com/go-gitea/gitea/pull/30256 Reviewed-on: https://gitea.com/gitea/docs/pulls/349 Reviewed-by: Lunny Xiao Co-authored-by: silverwind Co-committed-by: silverwind --- docs/administration/config-cheat-sheet.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/administration/config-cheat-sheet.md b/docs/administration/config-cheat-sheet.md index 695c0ef7..8a90d64e 100644 --- a/docs/administration/config-cheat-sheet.md +++ b/docs/administration/config-cheat-sheet.md @@ -211,7 +211,6 @@ The following configuration set `Content-Type: application/vnd.android.package-a - `MAX_AGE`: **10m**: max time to cache response - `ALLOW_CREDENTIALS`: **false**: allow request with credentials - `HEADERS`: **Content-Type,User-Agent**: additional headers that are permitted in requests -- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value. ## UI (`ui`) @@ -586,6 +585,7 @@ And the following unique queues: - `REVERSE_PROXY_LIMIT`: **1**: Interpret X-Forwarded-For header or the X-Real-IP header and set this as the remote IP for the request. Number of trusted proxy count. Set to zero to not use these headers. - `REVERSE_PROXY_TRUSTED_PROXIES`: **127.0.0.0/8,::1/128**: List of IP addresses and networks separated by comma of trusted proxy servers. Use `*` to trust all. +- `X_FRAME_OPTIONS`: **SAMEORIGIN**: Set the `X-Frame-Options` header value for web responses. Set to `unset` to not send the header. Previously located in `[cors]`. - `DISABLE_GIT_HOOKS`: **true**: Set to `false` to enable users with Git Hook privilege to create custom Git Hooks. :::warning