Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Missing HTTP headers to avoid login forms clickjacking security bug fix
# config/services.yaml
services:
# ...
App\EventListener\XFrameOptionsSubscriber:
tags: ['kernel.event_subscriber']
<?php
// src/EventListener/XFrameOptionsSubscriber.php
namespace App\EventListener
final class XFrameOptionsSubscriber implements EventSubscriberInterface
{
public static function getSubscribedEvents(): array
{
return [
KernelEvents::RESPONSE => 'onKernelResponse',
];
}
public function onKernelResponse(ResponseEvent $event): void
{
if (!$this->isMainRequest($event)) {
return;
}
$response = $event->getResponse();
$response->headers->set('X-Frame-Options', 'sameorigin');
}
private function isMainRequest(ResponseEvent $event): bool
{
if (\method_exists($event, 'isMainRequest')) {
return $event->isMainRequest();
}
return $event->isMasterRequest();
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment