Vulnerabilities

X-Frame-Options Defined via META (Non-compliant with Spec)

The X-Frame-Options HTTP response header is designed to prevent clickjacking attacks. The vulnerability 'X-Frame-Options Defined via META (Non-compliant with Spec)' means that the X-Frame-Options header is being set using the 'meta' tag instead of the HTTP response header. This method can easily be bypassed by an attacker.

The X-Frame-Options HTTP response header can be used to control if a page can be loaded within an iframe or not. It is designed to prevent clickjacking attacks. Clickjacking is a type of attack where an attacker tricks a user into clicking on a button or link that appears to be legitimate but is actually hidden on a page that the user is visiting. By using the X-Frame-Options header, we can prevent our application from being embedded in an iframe, thus preventing clickjacking attacks.

The vulnerability 'X-Frame-Options Defined via META (Non-compliant with Spec)' means that the X-Frame-Options header is being set using the 'meta' tag instead of the HTTP response header. This method is non-compliant with the X-Frame-Options specification and can be easily bypassed by an attacker. Therefore, it is recommended to set the X-Frame-Options header in the HTTP response header.

Solution

To fix this vulnerability, we need to set the X-Frame-Options header in the HTTP response header. There are three values that we can set for the X-Frame-Options header:

  1. DENY - This value will prevent the page from being loaded in any iframe.
  2. SAMEORIGIN - This value will allow the page to be loaded in an iframe only if the parent page is from the same origin.
  3. ALLOW-FROM uri - This value will allow the page to be loaded in an iframe only if the parent page is from the specified uri.

Let's take a look at how to set the X-Frame-Options header for each value.

DENY

  1. To set the X-Frame-Options header to DENY, we need to add the following line to the HTTP response header:

X-Frame-Options: DENY

This will prevent the page from being loaded in any iframe.

SAMEORIGIN

  1. To set the X-Frame-Options header to SAMEORIGIN, we need to add the following line to the HTTP response header:

X-Frame-Options: SAMEORIGIN

This will allow the page to be loaded in an iframe only if the parent page is from the same origin.

ALLOW-FROM uri

  1. To set the X-Frame-Options header to ALLOW-FROM uri, we need to add the following line to the HTTP response header:

X-Frame-Options: ALLOW-FROM https://example.com/

This will allow the page to be loaded in an iframe only if the parent page is from the specified uri. Replace 'https://example.com/' with the URI that you want to allow.

SOC 2 & Beyond for Startups

Our expert VAPT identifies vulnerabilities in your web apps & network before attackers exploit them. Invest in peace of mind.

 Order Now

Latest Articles

View All Articles

IOthreat: Empowering Startups with AI-Driven Cybersecurity Solutions

In today’s fast-moving digital landscape, cybersecurity is no longer optional—especially for startups looking to scale securely. In the latest edition of Website Planet interviews, Uri Fleyder-Kotler, CEO of IOthreat, shares how his company provides AI-driven security solutions, fractional CISO services, and compliance automation to help startups navigate cyber risks without slowing down their growth.

SOC 2
 min read

Interview With Uri Fleyder-Kotler - CEO of IOthreat

During our conversation, Uri shared insights into IOthreat’s core mission and approach, highlighting the company’s focus on services like Virtual CISO and attack surface mapping. These offerings, he explains, are designed to meet the unique security needs of resource-limited startups, enabling them to develop a solid security foundation from day one. Uri also discussed how IOthreat simplifies compliance with frameworks such as SOC 2 and ISO 27001, ensuring clients can focus on their growth while staying secure and compliant in an increasingly complex threat landscape.

ISO 27001
3
 min read

Cybersecurity in the Age of Generative AI: A Practical Guide for IT Professionals

While Generative AI offers significant benefits, it also presents potential avenues for malicious exploitation. Cybercriminals are increasingly harnessing AI to exploit system vulnerabilities. This comprehensive guide delves into the multifaceted cybersecurity landscape shaped by generative AI, highlighting key threats and providing actionable strategies for mitigation.

Mitigations
 min read