X-Frame-Options (XFO)
HTTP security headers provide a layer of security by helping to mitigate security vulnerabilities by telling your browser how to behave. This article explains more about combating clickjacking.
You can set these X-Frame-Options in the nginx config to prevent other pages to load your shops in an iframe. For example, to set the header as set X-Frame-Options to sameorigin
.
To do this, you'll need to create a Symfony response event listener (see the Symfony documentation for how to do this).
You can copy the following code example:
class XFrameOptions
{
public function onKernelResponse(ResponseEvent $event)
{
$response = $event->getResponse();
$response->headers->set("X-Frame-Options", "sameorigin");
}
}
If you add this, the preview in the Frontastic studio won't work. Let your teams know about this.
You'll need to put this in the src/php/<SomeBundle>/EventListener
folder where <SomeBundle>
is either an existing bundle, or you can create a new bundle just for the XFrameOptions
.
You'll then need to register the listener in src/php/SomeBundle/Resources/config/services.xml
, like below:
<service id="<customer>\SomeBundle\EventListener\XFrameOptions">
<tag name="kernel.event_listener" event="kernel.response" method="onKernelResponse" />
</service>
The id
property should be the same as the namespace
that you've declared in the XFrameOptions.php
.
Updated over 1 year ago