Duplicate "X-Frame-Options: SAMEORIGIN" header in AEMaaCS response

Duplicate â€œX-Frame-Options: SAMEORIGINâ€ header in AEMaaCS response

Last update: Tue Jul 22 2025 00:00:00 GMT+0000 (Coordinated Universal Time)

In ÃÛ¶¹ÊÓÆµ Experience Manager as a Cloud Service (AEMaaCS) â€“ Sites, the X-Frame-Options: SAMEORIGIN header appears twice in HTTP responses. This occurs when both AEM and the dispatcher or vhost configurations independently set the same header. To resolve the issue, remove the redundant header configuration from the dispatcher.

Description description

Environment

ÃÛ¶¹ÊÓÆµ Experience Manager as a Cloud Service (AEMaaCS) â€“ Sites

Issue/Symptoms

X-Frame-Options: SAMEORIGINÂ header appears twice in HTTP response headers.
Both dispatcher and vhost configuration includes X-Frame-Options: SAMEORIGIN.
AEM sets the header by default, even after removing it from the dispatcher configuration.

Cause

Duplication occurs when both the AEM and the dispatcher/vhost settings independently add the header.

Resolution resolution

AEMaaCS automatically sets the X-Frame-Options: SAMEORIGIN header via the OSGi configuration (sling.additional.response.headers in org.apache.sling.engine.impl.SlingMainServlet). To prevent duplicate headers:

Check your dispatcher or vhost configurations for any X-Frame-Options: SAMEORIGIN entries.
Remove any instances that explicitly set this header within dispatcher or vhost settings.
Set security headers in only one placeâ€”either in AEM or at the dispatcher/CDN level, not both.

Configuring Dispatcher in AEM dispatcher guide.

recommendation-more-help

3d58f420-19b5-47a0-a122-5c9dab55ec7f

ÃÛ¶¹ÊÓÆµ