X-Frame-Options header cannot be recognized

By
Nash N Sulthan
Published on
05 Jun 2018
2 min read

The X-Frame-Options HTTP response header shows whether or not a web browser should be permitted to render a webpage in a < frame >, < iframe > or < object >. This header helps to stop clickjacking attacks by ensuring that the content is not embedded into other sites.

This problem may be due to Per-page policy specification. The reason for this vulnerability might be due to the following:-

  • The browser may not support
  • Multiple options may not be supported
  • Nested Frames doesn’t work

This vulnerability leads to many attacks like Clickjacking.

Example

The below code is a useless method to implement X-Frame-Options.

    <meta http-equiv="X-Frame-Options" content="deny">

  

Impact

One of the significant threat includes clickjacking. Clickjacking is a malicious technique of tricking an end-user into clicking on a link. This method will potentially reveal confidential information or an attacker can take control of their computer while clicking on seemingly innocuous web pages.

Mitigation / Precaution

Beagle recommends the following fixes:-

  • Implement X-Frame-Options
    • The possible types are:-
      • SAMEORIGIN - It allows the current site to frame the content.
      • DENY - This header prevents any domain from framing the content.
      • ALLOW-FROM URI - Permits specified URI
  • Add HTTP response manually to every page.

Apache

The below code must be added to the server’s configuration.

    /* add any one of the three */
    Header set X-Frame-Options DENY
    Header always set X-Frame-Options SAMEORIGIN
    Header set X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

Nginx

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

IIS

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    <system.webServer>
      ...
    
      <httpProtocol>
        <customHeaders>
          <add name="X-Frame-Options" value="DENY" /> /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */
        </customHeaders>
      </httpProtocol>
    
      ...
    </system.webServer>

  

HAProxy

The below code must be added to the server’s configuration:-

    rspadd X-Frame-Options:\ DENY /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */

  
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Nash N Sulthan
Nash N Sulthan
Cyber Security Lead Engineer
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.