PHP 7.3 reaches end of support in December 2021 and Adobe Commerce 2.3.x reaches end of support in April 2022. You may want to consider planning your upgrade now to Adobe Commerce 2.4.x and PHP 7.4.x to help maintain PCI compliance.

X-Frame-Options header

Overview

To help prevent clickjacking exploits, we added an option to use the X-Frame-Options HTTP request header in requests to your storefront.

The X-Frame-Options header enables you to specify whether or not a browser should be allowed to render a page in a <frame>, <iframe>, or <object> as follows:

  • DENY: Page cannot be displayed in a frame.
  • SAMEORIGIN: (The default Magento setting.) Page can be displayed only in a frame on the same origin as the page itself.

The ALLOW-FROM <uri> option has been deprecated because Magento-supported browsers no longer support it. See Browser compatibility.

For security reasons, Magento strongly recommends against running the Magento storefront in a frame.

Implement X-Frame-Options

Set a value for X-Frame-Options in <magento_root>/app/etc/env.php. Following is the default value:

1
'x-frame-options' => 'SAMEORIGIN',

We require you to edit env.php because it’s more secure than setting a value in the Admin.

Verify your setting for X-Frame-Options

To verify your setting, view HTTP headers on any storefront page. There are several ways to do this, including using a web browser inspector.

The following example uses curl, which you can run from any machine that can connect to your Magento server over the HTTP protocol.

Use the following command:

1
curl -I -v --location-trusted '<your Magento storefront URL>'

Look for the X-Frame-Options value in the headers.

For more information