X-Frame-Options Header is Missing
Impact: Low
Description
The absence of the X-Frame-Options
HTTP response header leaves a website vulnerable to click-jacking attacks. Without this header, attackers can embed the site’s content into malicious pages using iframes, potentially leading to phishing attacks or unauthorized transactions.
Recommendation
To mitigate this vulnerability, configure your server to send the X-Frame-Options
header with an appropriate setting for all pages. Common settings include DENY
, SAMEORIGIN
, or ALLOW-FROM
followed by a specific URI. Choose the setting that best fits your application’s requirements. Ensure proper testing to verify that the header is correctly implemented and enforced by all browsers.
References
- CWE-1021
- CWE-16
- Mozilla: Web Security
- Mozilla: X-Frame-Options
- OWASP 2021-A5
- OWASP: Clickjacking
- OWASP: X-Frame-Options Header
👉 You might also like:
X-Content-Type-Options Header is Missing - Vulnerability
X-XSS-Protection Header is Missing - Vulnerability
Content-Security-Policy Header is Missing - Vulnerability
Referrer-Policy Header is Missing - Vulnerability
Last updated on May 13, 2024