I'm trying to DENY iframe calling my website with the PHP framework Yii.
I added this line in the top of 'index.php' or in the 'protected/views/layouts/main.php'
<?php header("X-Frame-Options: DENY") ?>
But I still have the possibility to create an iframe with the 'src' property of my website!
I'm trying too : add in the '.htaccess' :
Header always append X-Frame-Options DENY
I resolved by added meta data in the head of the page:
<head>
<meta http-equiv="X-FRAME-OPTIONS" content="DENY">
</head>
In YII style we can do it using registerMetaTag. Add the following code in view or layout or controller.
<?php Yii::app()->clientScript->registerMetaTag('DENY', null, null, array('http-equiv'=>'X-FRAME-OPTIONS')); ?>
It will add <meta http-equiv="X-FRAME-OPTIONS" content="DENY"> in the head tag.
For more details about registerMetaTag see here.
Here is the documentation on how to modify headers sent by YII framework (v2)
http://www.yiiframework.com/doc-2.0/guide-runtime-responses.html#http-headers
HTTP Headers
You can send HTTP headers by manipulating the header collection in the response component. For example,
$headers = Yii::$app->response->headers;
// add a Pragma header. Existing Pragma headers will NOT be overwritten.
$headers->add('Pragma', 'no-cache');
// set a Pragma header. Any existing Pragma headers will be discarded.
$headers->set('Pragma', 'no-cache');
// remove Pragma header(s) and return the removed Pragma header values in an array
$values = $headers->remove('Pragma');
You can do this by configuring the response component of the application and adding custom headers in the beforeSend event, e.g.:
return [
...
'components' => [
...
'response' => [
'on beforeSend' => function($event) {
$event->sender->headers->add('X-Frame-Options', 'DENY');
},
],
...
],
];
This will add the header(s) for all responses. This may not be appropriate, in which case, you can use \Yii::$app->response->headers->add($name, $value); before returning from an action or in the afterAction() method of the controller.
It is well documented that the meta http-equiv tag does not work for this situation. In my opinion, http-equiv should never be used if you can set the header properly server-side.
The reason that the PHP header() function does not work is because Yii's response component resets all headers before preparing the response to send.
I expanded the controller
protected function beforeAction($action)
{
/**
* Clickjacking protection for Yii1
*/
if (version_compare(\Yii::getVersion(), '2.0.0', '<')) {
header('X-Frame-Options: SAMEORIGIN');
}
return parent::beforeAction($action);
}
protected function afterAction($action)
{
/**
* Clickjacking protection for Yii2
* https://stackoverflow.com/a/43342321/5546916
*/
if (version_compare(\Yii::getVersion(), '2.0.0', '>=')) {
\Yii::app()->response->headers->add('X-Frame-Options', 'SAMEORIGIN');
}
return parent::afterAction($action);
}