How to override X-Frame-Options for FrankenPHP variant

[marns93]

Hello everybody,

I'm using FrankenPHP variant and would like to override the X-Frame-Options header to DENY.

It is set in the Caddyfile to SAMEORIGIN

docker-php/src/variations/frankenphp/etc/frankenphp/Caddyfile

Line 140 in a161e93

X-Frame-Options "SAMEORIGIN"

and from the documentation perspective it should be possible using a > in front of the header name. (https://caddyserver.com/docs/caddyfile/directives/header#syntax)

So my reproducer is as follow:

Start container and set the header

docker run --rm -it -p 8081:8080 \
  -e CADDY_SERVER_EXTRA_DIRECTIVES="header >X-Frame-Options 'DENY'"  \
serversideup/php:8.3.30-frankenphp-v4.3.0-beta1

Request with curl to check the headers curl -I -s http://localhost:8081

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Tue, 20 Jan 2026 18:13:26 GMT

As you can see X-Frame-Options is still SAMEORIGIN.

I've double checked with setting a custom header name and this is working as expected.

docker run --rm -it -p 8081:8080 \
  -e CADDY_SERVER_EXTRA_DIRECTIVES="header >My-Custom-Header 'Works'"  \
serversideup/php:8.3.30-frankenphp-v4.3.0-beta1

HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
My-Custom-Header: 'Works'
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
Date: Tue, 20 Jan 2026 18:17:37 GMT

So what am I doing wrong? Any ideas?

Thanks for your support. :)

[jaydrogers]

For us to set DENY as the default will likely be too strict, but here are some ways this could happen:

We could possibly add a feature where you could control this by a variable

I try to keep the variables to as little as possible, but if there is a strong community support behind a feature I like to build it.

You could use sed to make the change

If you are building your own image, you could just make a simple change in your Docker file:

FROM serversideup/php:frankenphp

USER root

# Replace X-Frame-Options with "DENY" regardless of current value
RUN sed -i 's/X-Frame-Options "[^"]*"/X-Frame-Options "DENY"/' /etc/frankenphp/Caddyfile

USER www-data

I usually cringe in the case when people run sed commands on the configs, but in this case I feel like this could be pretty stable. Watch the release notes of course, but at least it could get you want without waiting for another PR to be merged.

[marns93]

Thank you for this. So this means that headers set in

docker-php/src/variations/frankenphp/etc/frankenphp/Caddyfile

Line 137 in a161e93

header {

will override it and CADDY_SERVER_EXTRA_DIRECTIVES can be used to set additional headers. The logic mentioned in https://caddyserver.com/docs/caddyfile/directives/header#syntax by setting > in front of a header name is not working in this place.