X-Frame-Options Header Not Set

X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.

Summary

X-Frame-Options header is not included in the HTTP response to protect against ‘ClickJacking’ attacks.

Risk

Medium

Solution

Most modern Web browsers support the X-Frame-Options HTTP header. Ensure it's set on all web pages returned by your site (if you expect the page to be framed only by pages on your server (e.g., it's part of a FRAMESET) then you'll want to use SAMEORIGIN, otherwise if you never expect the page to be framed, you should use DENY. Alternatively, consider implementing Content Security Policy's 'frame-ancestors' directive.

References

Hackers target weaknesses. We expose them.

Our expert VAPT identifies vulnerabilities in your web apps & network before attackers exploit them. Invest in peace of mind.

 Order Now