Files
Gitea/modules
silverwind 5f8e19fcef Move X_FRAME_OPTIONS setting from cors to security section (#30256)
## Summary

- Move `cors.X_FRAME_OPTIONS` to `security.X_FRAME_OPTIONS` (old
location still works with a deprecation warning)
- Support `"unset"` as a special value to remove the `X-Frame-Options`
header entirely
- Remove `X-Frame-Options` header from API responses (only set for
web/HTML responses)

## Migration

If you had customized `cors.X_FRAME_OPTIONS`, move it to the
`[security]` section. The old location is deprecated and will be removed
in a future release.

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-02-22 20:26:46 +00:00
..
2026-01-24 05:11:49 +00:00
2025-09-13 18:01:00 +00:00
2026-01-24 05:11:49 +00:00
2022-12-30 23:31:00 +08:00