Hi!
Note:
Most importantly, the allow-from value for that header doesn’t appear to be widely supported (see here)
I think omitting the header, or using a CSP header’s frame-ancestors is your best bet.
Testing it Out
Testing this out myself, I set:
[services.ports.http_options.response.headers]
X-Frame-Options = "DENY"
Chrome seems to keep responding with the SAMEORIGIN response (not sure if that’s cached or something?)
But curl showed the updated header value (I suggest you test with curl as well!)
Note that is says DENY now:
What To Do
Overall I think the most important thing to find here is that allow-from isn’t going to work in modern browsers. You should check out CSP headers, or try to get Fly to remove the x-frame-options header.