To help prevent Clickjacking exploits, we added an option to use the X-Frame-Options HTTP request header in requests to your storefront.
X-Frame-Options header enables you to specify if a browser should be allowed to render a page in a
<object> as follows:
DENY: Page cannot be displayed in a frame.
SAMEORIGIN: (default) Page can be displayed only in a frame on the same origin as the page itself.
ALLOW-FROM <uri> option has been deprecated because Commerce-supported browsers no longer support it. See Browser compatibility.
For security reasons, Adobe strongly recommends against running the Commerce storefront in a frame.
Set a value for
<project-root>/app/etc/env.php. The default value is set as follows:
'x-frame-options' => 'SAMEORIGIN',
Redeploy for any changes to the
env.php file to take effect.
It is more secure to edit the
env.php file than it is to set a value in the Admin.
To verify your setting, view the HTTP headers on any storefront page. There are several ways to do this, including using a web browser inspector.
The following example uses curl, which you can run from any machine that can connect to your Commerce server over the HTTP protocol.
curl -I -v --location-trusted '<storefront-URL>'
Look for the
X-Frame-Options value in the headers.