X-Frame-Options (XFO)

HTTP security headers provide a layer of security by helping to mitigate security vulnerabilities by telling your browser how to behave. This article explains more about combating clickjacking.

You can set these X-Frame-Options in the nginx config to prevent other pages to load your shops in an iframe. For example, to set the header as set X-Frame-Options to sameorigin.

To do this, you'll need to create a Symfony response event listener (see the Symfony documentation for how to do this).

You can copy the following code example:

class XFrameOptions
    public function onKernelResponse(ResponseEvent $event)
        $response = $event->getResponse(); 
        $response->headers->set("X-Frame-Options", "sameorigin");


If you add this, the preview in the Frontastic studio won't work. Let your teams know about this.

You'll need to put this in the src/php/<SomeBundle>/EventListener folder where <SomeBundle> is either an existing bundle, or you can create a new bundle just for the XFrameOptions.

You'll then need to register the listener in src/php/SomeBundle/Resources/config/services.xml, like below:

<service id="<customer>\SomeBundle\EventListener\XFrameOptions">
          <tag name="kernel.event_listener" event="kernel.response" method="onKernelResponse" />

The id property should be the same as the namespace that you've declared in the XFrameOptions.php.