group | title | functional_areas | |||
---|---|---|---|---|---|
configuration-guide |
X-Frame-Options header |
|
To help prevent clickjacking exploits, we added an option to use the X-Frame-Options HTTP request header in requests to your storefront.
The X-Frame-Options
header enables you to specify whether or not a browser should be allowed to render a page in a <frame>
, <iframe>
, or <object>
as follows:
DENY
: Page cannot be displayed in a frame.SAMEORIGIN
: (The default Magento setting.) Page can be displayed only in a frame on the same origin as the page itself.
{:.bs-callout-warning}
The ALLOW-FROM <uri>
option has been deprecated because Magento-supported browsers no longer support it. See Browser compatibility.
{:.bs-callout-warning} For security reasons, Magento strongly recommends against running the Magento storefront in a frame.
Set a value for X-Frame-Options
in <magento_root>/app/etc/env.php
. Following is the default value:
'x-frame-options' => 'SAMEORIGIN',
We require you to edit env.php
because it's more secure than setting a value in the Admin.
To verify your setting, view HTTP headers on any storefront page. There are several ways to do this, including using a web browser inspector.
The following example uses curl, which you can run from any machine that can connect to your Magento server over the HTTP protocol.
Use the following command:
curl -I -v --location-trusted '<your Magento storefront URL>'
Look for the X-Frame-Options
value in the headers.