Skip to content

Commit f5a24f1

Browse files
eddielaueddielau
committed
MAGETWO-43510: x-frame-options missing from setup
- removed server configuration for application
1 parent 20bd0b9 commit f5a24f1

File tree

4 files changed

+19
-14
lines changed

4 files changed

+19
-14
lines changed

nginx.conf.sample

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -34,13 +34,15 @@ location /setup {
3434
fastcgi_index index.php;
3535
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
3636
include fastcgi_params;
37-
add_header X-Frame-Options "SAMEORIGIN"
3837
}
3938

4039
location ~ ^/setup/(?!pub/). {
4140
deny all;
4241
}
43-
add_header X-Frame-Options "SAMEORIGIN";
42+
43+
location ~ ^/setup/pub/ {
44+
add_header X-Frame-Options "SAMEORIGIN";
45+
}
4446
}
4547

4648
location /update {
@@ -51,14 +53,16 @@ location /update {
5153
fastcgi_index index.php;
5254
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
5355
include fastcgi_params;
54-
add_header X-Frame-Options "SAMEORIGIN"
5556
}
5657

5758
# deny everything but index.php
5859
location ~ ^/update/(?!pub/). {
5960
deny all;
6061
}
61-
add_header X-Frame-Options "SAMEORIGIN"
62+
63+
location ~ ^/update/pub/ {
64+
add_header X-Frame-Options "SAMEORIGIN";
65+
}
6266
}
6367

6468
location / {
@@ -79,7 +83,7 @@ location /static/ {
7983
}
8084
location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
8185
add_header Cache-Control "public";
82-
add_header X-Frame-Options "SAMEORIGIN"
86+
add_header X-Frame-Options "SAMEORIGIN";
8387
expires +1y;
8488

8589
if (!-f $request_filename) {
@@ -88,7 +92,7 @@ location /static/ {
8892
}
8993
location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
9094
add_header Cache-Control "no-store";
91-
add_header X-Frame-Options "SAMEORIGIN"
95+
add_header X-Frame-Options "SAMEORIGIN";
9296
expires off;
9397

9498
if (!-f $request_filename) {
@@ -110,13 +114,13 @@ location /media/ {
110114

111115
location ~* \.(ico|jpg|jpeg|png|gif|svg|js|css|swf|eot|ttf|otf|woff|woff2)$ {
112116
add_header Cache-Control "public";
113-
add_header X-Frame-Options "SAMEORIGIN"
117+
add_header X-Frame-Options "SAMEORIGIN";
114118
expires +1y;
115119
try_files $uri $uri/ /get.php?$args;
116120
}
117121
location ~* \.(zip|gz|gzip|bz2|csv|xml)$ {
118122
add_header Cache-Control "no-store";
119-
add_header X-Frame-Options "SAMEORIGIN"
123+
add_header X-Frame-Options "SAMEORIGIN";
120124
expires off;
121125
try_files $uri $uri/ /get.php?$args;
122126
}

setup/.htaccess

Lines changed: 0 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -3,9 +3,3 @@ Options -Indexes
33
<IfModule mod_rewrite.c>
44
RewriteEngine Off
55
</IfModule>
6-
7-
<IfModule mod_headers.c>
8-
############################################
9-
## prevent clickjacking
10-
Header set X-Frame-Options SAMEORIGIN
11-
</IfModule>

setup/index.php

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -28,4 +28,6 @@
2828
$handler = new \Magento\Framework\App\ErrorHandler();
2929
set_error_handler([$handler, 'handler']);
3030

31+
header('X-Frame-Options: SAMEORIGIN');
32+
3133
\Zend\Mvc\Application::init(require __DIR__ . '/config/application.config.php')->run();

setup/pub/.htaccess

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
<IfModule mod_headers.c>
2+
############################################
3+
## prevent clickjacking
4+
Header set X-Frame-Options SAMEORIGIN
5+
</IfModule>

0 commit comments

Comments
 (0)