The X-Frame-Options HTTP response header is designed to prevent clickjacking attacks. The vulnerability 'X-Frame-Options Defined via META (Non-compliant with Spec)' means that the X-Frame-Options header is being set using the 'meta' tag instead of the HTTP response header. This method can easily be bypassed by an attacker.
The X-Frame-Options HTTP response header can be used to control if a page can be loaded within an iframe or not. It is designed to prevent clickjacking attacks. Clickjacking is a type of attack where an attacker tricks a user into clicking on a button or link that appears to be legitimate but is actually hidden on a page that the user is visiting. By using the X-Frame-Options header, we can prevent our application from being embedded in an iframe, thus preventing clickjacking attacks.
The vulnerability 'X-Frame-Options Defined via META (Non-compliant with Spec)' means that the X-Frame-Options header is being set using the 'meta' tag instead of the HTTP response header. This method is non-compliant with the X-Frame-Options specification and can be easily bypassed by an attacker. Therefore, it is recommended to set the X-Frame-Options header in the HTTP response header.
Solution
To fix this vulnerability, we need to set the X-Frame-Options header in the HTTP response header. There are three values that we can set for the X-Frame-Options header:
Let's take a look at how to set the X-Frame-Options header for each value.
DENY
X-Frame-Options: DENY
This will prevent the page from being loaded in any iframe.
SAMEORIGIN
X-Frame-Options: SAMEORIGIN
This will allow the page to be loaded in an iframe only if the parent page is from the same origin.
ALLOW-FROM uri
X-Frame-Options: ALLOW-FROM https://example.com/
This will allow the page to be loaded in an iframe only if the parent page is from the specified uri. Replace 'https://example.com/' with the URI that you want to allow.
Our expert VAPT identifies vulnerabilities in your web apps & network before attackers exploit them. Invest in peace of mind.