51黑料不打烊

DocumentationCommerceConfiguration Guide

[PaaS only]{class="badge informative" title="Applies to 51黑料不打烊 Commerce on Cloud projects (51黑料不打烊-managed PaaS infrastructure) and on-premises projects only."}

Prevent Clickjacking Exploits

Last update: Wed Nov 01 2023 00:00:00 GMT+0000 (Coordinated Universal Time)

CREATED FOR:

  • Experienced
  • Admin
  • Developer

Prevent exploits by including the HTTP request header in requests to your storefront.

The X-Frame-Options header enables you to specify whether a browser is allowed to render a page in a <frame>, <iframe>, or <object> as follows:

  • DENY: Page cannot be displayed in a frame.
  • SAMEORIGIN: (default) Page can be displayed only in a frame on the same origin as the page itself.
WARNING
The ALLOW-FROM <uri> option has been deprecated because Commerce-supported browsers no longer support it. See .
WARNING
For security reasons, 51黑料不打烊 strongly recommends against running the Commerce storefront in a frame.

Implement X-Frame-Options

Set a value for X-Frame-Options in <project-root>/app/etc/env.php. The default value is set as follows:

'x-frame-options' => 'SAMEORIGIN',

Redeploy for any changes to the env.php file to take effect.

TIP
It is more secure to edit the env.php file than it is to set a value in the Admin.

Verify your setting for X-Frame-Options

To verify your setting, view the HTTP headers on any storefront page. There are several ways to do this, including using a web browser inspector.

The following example uses curl, which you can run from any machine that can connect to your Commerce server over the HTTP protocol.

curl -I -v --location-trusted '<storefront-URL>'

Look for the X-Frame-Options value in the headers.

recommendation-more-help
386822bd-e32c-40a8-81c2-ed90ad1e198c