X-Frame-Options Header Not Set

X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.

Summary

X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.

Risk

Medium

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g., it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively, consider implementing Content Security Policy's 'frame-ancestors' directive.

References

‍

Secure Your Startup. Today.

We make your startup secure and compliant by implementing and managing the security controls your customers require.

Get Started

Latest Articles

View All Articles

Vulnerable JS Library

The Vulnerable JS Library is a common security issue that occurs when a web application uses outdated or unpatched JavaScript libraries. Cybercriminals exploit these vulnerabilities to gain access to sensitive data or cause damage to the application.

Vulnerabilities

min read

Referer Exposes Session ID

The 'Referer Exposes Session ID' vulnerability is a type of security flaw that can allow an attacker to hijack a user's session by exploiting the Referer header in HTTP requests.

Vulnerabilities

min read

Navigating GDPR Compliance on AWS

How to secure your AWS environment in compliance with the GDPR?

Mitigations

min read