X-Frame-Options Defined via META (Non-compliant with Spec)
The X-Frame-Options HTTP response header is designed to prevent clickjacking attacks. The vulnerability 'X-Frame-Options Defined via META (Non-compliant with Spec)' means that the X-Frame-Options header is being set using the 'meta' tag instead of the HTTP response header. This method can easily be bypassed by an attacker.
The X-Frame-Options HTTP response header can be used to control if a page can be loaded within an iframe or not. It is designed to prevent clickjacking attacks. Clickjacking is a type of attack where an attacker tricks a user into clicking on a button or link that appears to be legitimate but is actually hidden on a page that the user is visiting. By using the X-Frame-Options header, we can prevent our application from being embedded in an iframe, thus preventing clickjacking attacks.
The vulnerability 'X-Frame-Options Defined via META (Non-compliant with Spec)' means that the X-Frame-Options header is being set using the 'meta' tag instead of the HTTP response header. This method is non-compliant with the X-Frame-Options specification and can be easily bypassed by an attacker. Therefore, it is recommended to set the X-Frame-Options header in the HTTP response header.
Solution
To fix this vulnerability, we need to set the X-Frame-Options header in the HTTP response header. There are three values that we can set for the X-Frame-Options header:
- DENY - This value will prevent the page from being loaded in any iframe.
- SAMEORIGIN - This value will allow the page to be loaded in an iframe only if the parent page is from the same origin.
- ALLOW-FROM uri - This value will allow the page to be loaded in an iframe only if the parent page is from the specified uri.
Let's take a look at how to set the X-Frame-Options header for each value.
DENY
- To set the X-Frame-Options header to DENY, we need to add the following line to the HTTP response header:
X-Frame-Options: DENY
This will prevent the page from being loaded in any iframe.
SAMEORIGIN
- To set the X-Frame-Options header to SAMEORIGIN, we need to add the following line to the HTTP response header:
X-Frame-Options: SAMEORIGIN
This will allow the page to be loaded in an iframe only if the parent page is from the same origin.
ALLOW-FROM uri
- To set the X-Frame-Options header to ALLOW-FROM uri, we need to add the following line to the HTTP response header:
X-Frame-Options: ALLOW-FROM https://example.com/
This will allow the page to be loaded in an iframe only if the parent page is from the specified uri. Replace 'https://example.com/' with the URI that you want to allow.
Achieve SOC2 Compliance
We make your startup SOC2 compliant by implementing and managing the required security controls for you.
