X-Frame-Options Header is Missing

Impact: Low

Description

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid click-jacking attacks, by ensuring that their content is not embedded into other sites. ^Mozilla

Recommendation

Configure your server to send this header for all pages. You can see references for possible values.

References

Mozilla: Web Security
OWASP: Clickjacking
Mozilla: X-Frame-Options
CWE-1021
OWASP 2021-A4

👉 You might also like:

X-Content-Type-Options Header is Missing - Vulnerability

X-XSS-Protection Header is Missing - Vulnerability

Content-Security-Policy Header is Missing - Vulnerability

Referrer-Policy Header is Missing - Vulnerability

Last updated on February 15, 2021

X-Frame-Options Header is Missing

Description

Recommendation

References

Use SmartScanner Free version to test for this issue