The X-Frame-Options HTTP response header shows whether or not a web browser should be permitted to render a webpage in a < frame >, < iframe > or < object >. This header helps to stop clickjacking attacks by ensuring that the content is not embedded into other sites.
This problem may be due to Per-page policy specification. The reason for this vulnerability might be due to the following:-
The browser may not support
Multiple options may not be supported
Nested Frames doesn’t work
This vulnerability leads to many attacks like Clickjacking.
Example
The below code is a useless method to implement X-Frame-Options.
Impact
One of the significant threat includes clickjacking. Clickjacking is a malicious technique of tricking an end-user into clicking on a link. This method will potentially reveal confidential information or an attacker can take control of their computer while clicking on seemingly innocuous web pages.
Mitigation / Precaution
Beagle recommends the following fixes:-
Implement X-Frame-Options
The possible types are:-
SAMEORIGIN - It allows the current site to frame the content.
DENY - This header prevents any domain from framing the content.
ALLOW-FROM URI - Permits specified URI
Add HTTP response manually to every page.
Apache
The below code must be added to the server’s configuration.
Nginx
The below code must be added to the server’s configuration:-
IIS
The below code must be added to the server’s configuration:-
HAProxy
The below code must be added to the server’s configuration:-
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.