X-Frame-Options header cannot be recognized

OWASP 2013-A5 OWASP 2017-A6 CAPEC-103 CWE-693 ISO27001-A.14.2.5 WSTG-CLNT-09

The X-Frame-Options HTTP response header shows whether or not a web browser should be permitted to render a webpage in a < frame >, < iframe > or < object >. This header helps to stop clickjacking attacks by ensuring that the content is not embedded into other sites.

This problem may be due to Per-page policy specification. The reason for this vulnerability might be due to the following:-

  • The browser may not support
  • Multiple options may not be supported
  • Nested Frames doesn’t work

This vulnerability leads to many attacks like Clickjacking.

Example

The below code is a useless method to implement X-Frame-Options.

    <meta http-equiv="X-Frame-Options" content="deny">

  

Impact

One of the significant threat includes clickjacking. Clickjacking is a malicious technique of tricking an end-user into clicking on a link. This method will potentially reveal confidential information or an attacker can take control of their computer while clicking on seemingly innocuous web pages.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Implement X-Frame-Options
    • The possible types are:-
      • SAMEORIGIN - It allows the current site to frame the content.
      • DENY - This header prevents any domain from framing the content.
      • ALLOW-FROM URI - Permits specified URI
  • Add HTTP response manually to every page.

Apache

The below code must be added to the server’s configuration.

    /* add any one of the three */
    Header set X-Frame-Options DENY
    Header always set X-Frame-Options SAMEORIGIN
    Header set X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

Nginx

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

IIS

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    <system.webServer>
      ...
    
      <httpProtocol>
        <customHeaders>
          <add name="X-Frame-Options" value="DENY" /> /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */
        </customHeaders>
      </httpProtocol>
    
      ...
    </system.webServer>

  

HAProxy

The below code must be added to the server’s configuration:-

    rspadd X-Frame-Options:\ DENY /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */

  

Latest Articles