Magento 2.1.18 is the final 2.1.x release. After June 2019, Magento 2.1.x will no longer receive security patches, quality fixes, or documentation updates.
To maintain your site's performance, security, and PCI compliance, upgrade to the latest version of Magento.

X-Frame-Options header

Overview

To help prevent clickjacking exploits, we added an option to use the X-Frame-Options HTTP request header in requests to your storefront.

The X-Frame-Options header enables you to specify whether or not a browser should be allowed to render a page in a <frame>, <iframe>, or <object> as follows:

  • DENY: Page cannot be displayed in a frame.
  • SAMEORIGIN: (The default Magento setting.) Page can be displayed only in a frame on the same origin as the page itself.
  • ALLOW-FROM <uri>: Page can be displayed only in a frame on the specified origin.

The Chrome and Safari browsers do not support the ALLOW-FROM option. Browser Compatibility provides details about this feature.

For security reasons, Magento strongly recommends against running the Magento storefront in a frame.

Implement X-Frame-Options

Set a value for X-Frame-Options in <magento_root>/app/etc/env.php. Following is the default value:

1
  'x-frame-options' => 'SAMEORIGIN',

If you want to allow any website to load page, you can use *:

1
  'x-frame-options' => '*',

We require you to edit env.php because it’s more secure than setting a value in the Magento Admin.

Verify your setting for X-Frame-Options

To verify your setting, view HTTP headers on any storefront page. There are several ways to do this, including using a web browser inspector.

The following example uses curl, which you can run from any machine that can connect to your Magento server over the HTTP protocol.

Use the following command:

1
curl -I -v --location-trusted '<your Magento storefront URL>'

Look for the X-Frame-Options value in the headers.

For more information

Updated