X-Frame-Options header

Overview

To help prevent clickjacking exploits, we added an option to use the X-Frame-Options HTTP request header in requests to your storefront.

The X-Frame-Options header enables you to specify whether or not a browser should be allowed to render a page in a <frame>, <iframe>, or <object> as follows:

  • DENY: Page cannot be displayed in a frame.
  • SAMEORIGIN: (The default Magento setting.) Page can be displayed only in a frame on the same origin as the page itself.
  • ALLOW-FROM <uri>: Page can be displayed only in a frame on the specified origin.

The Chrome and Safari browsers do not support the ALLOW-FROM option. Browser Compatibility provides details about this feature.

For security reasons, Magento strongly recommends against running the Magento storefront in a frame.

Implement X-Frame-Options

Set a value for X-Frame-Options in <magento_root>/app/etc/env.php. Following is the default value:

1
'x-frame-options' => 'SAMEORIGIN',

If you want to allow any website to load page, you can use *:

1
'x-frame-options' => '*',

We require you to edit env.php because it’s more secure than setting a value in the Magento Admin.

Verify your setting for X-Frame-Options

To verify your setting, view HTTP headers on any storefront page. There are several ways to do this, including using a web browser inspector.

The following example uses curl, which you can run from any machine that can connect to your Magento server over the HTTP protocol.

Use the following command:

1
curl -I -v --location-trusted '<your Magento storefront URL>'

Look for the X-Frame-Options value in the headers.

For more information