Add x-frame sameorigin header
Hey there, for security reasons I recommed adding following headers by default:
No customers need to include their websites via iframe on another domain. If needed they can overwrite this header in their htaccess-file or via php/html.
PS: The apache/nginx-header module must be loaded. I think after implementing #4388, this would happen by default :-)
BTW: Additionally I would also add
Content-Security-Policy: frame-ancestors 'self'for modern browsers, X-Frame-Options should only be used for backwards-compatibility.
closedToggle commit list