Prevent Clickjacking Exploits
- Topics:
- Configuration
- Security
CREATED FOR:
- Experienced
- Admin
- Developer
Prevent Clickjacking exploits by including the X-Frame-Options HTTP request header in requests to your storefront.
The X-Frame-Options
header enables you to specify whether a browser is allowed to render a page in a <frame>
, <iframe>
, or <object>
as follows:
DENY
: Page cannot be displayed in a frame.SAMEORIGIN
: (default) Page can be displayed only in a frame on the same origin as the page itself.
ALLOW-FROM <uri>
option has been deprecated because Commerce-supported browsers no longer support it. See Browser compatibility.Implement X-Frame-Options
Set a value for X-Frame-Options
in <project-root>/app/etc/env.php
. The default value is set as follows:
'x-frame-options' => 'SAMEORIGIN',
Redeploy for any changes to the env.php
file to take effect.
env.php
file than it is to set a value in the Admin.Verify your setting for X-Frame-Options
To verify your setting, view the HTTP headers on any storefront page. There are several ways to do this, including using a web browser inspector.
The following example uses curl, which you can run from any machine that can connect to your Commerce server over the HTTP protocol.
curl -I -v --location-trusted '<storefront-URL>'
Look for the X-Frame-Options
value in the headers.
More help on this topic
Commerce
- Overview
- General setup
- Deployment
- Cache
- Command Line
- Command-line tool
- Common commands
- Enable logging
- Manage the cache
- Manage indexers
- Configure cron jobs
- Compile code
- Operation mode
- Start message queue consumers
- URN highlighter
- Dependency reports
- Localization
- Configuration management
- Static view
- Create symlinks
- Run unit tests
- Convert layout files
- Generate data for performance testing
- Run support utilities (Commerce only)
- Configuration files
- Configuration paths
- Cron Jobs
- Logs
- Message Queues
- Multiple sites
- Search Engine
- Security
- Storage
- Return to Operational Guides