X-Permitted-Cross-Domain-Policies

Using Adobe products like PDF, Flash, etc.?

You can implement this header to instruct the browser on how to handle the requests over a cross-domain. By implementing this header, you restrict loading your site’s assets from other domains to avoid resource abuse.

There are a few options available.

ValueDescription
noneno policy is allowed
master-onlyallow only the master policy
alleverything is allowed
by-content-onlyAllow only a certain type of content. Example – XML
by-ftp-onlyapplicable only for an FTP server

Apache

If you don’t want to allow any policy.

Header set X-Permitted-Cross-Domain-Policies "none"

You should see the header like the following.

Nginx

And, let’s say you need to implement master-only then add the following in nginx.conf under server block.

add_header X-Permitted-Cross-Domain-Policies master-only;

And the result.

Scroll to Top