X-Frame-Options header not implemented

OWASP 2013-A5 OWASP 2017-A6 CAPEC-103 CWE-693 WASC-14 ISO27001-A.14.2.5 WSTG-CLNT-09

The X-Frame-Options HTTP response header shows whether or not a web browser should be permitted to render a webpage in a < frame >, < iframe > or < object >. This header helps to stop clickjacking attacks by ensuring that the content is not embedded into other sites. Thus the site cannot ensure that their contents are not embedded in other websites. This vulnerability leads to many attacks like clickjacking.

Impact

One of the significant threat includes clickjacking. Clickjacking is a malicious technique of tricking an end-user into clicking on a link. This method will potentially reveal confidential information or an attacker can take control of their computer while clicking on seemingly innocuous web pages.

Mitigation / Precaution

Beagle recommends the following measures:-

  • Implement X-Frame-Options
  • The possible types are:-
    • SAMEORIGIN - It allows the current site to frame the content.
    • DENY - This header prevents any domain from framing the content.
    • ALLOW-FROM URI - Permits specified URI
  • Add HTTP response manually to every page.

Apache

The below code must be added to the server’s configuration.

    /* add any one of the three */
    Header set X-Frame-Options DENY
    Header always set X-Frame-Options SAMEORIGIN
    Header set X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

Nginx

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

IIS

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    <system.webServer>
      ...
    
      <httpProtocol>
        <customHeaders>
          <add name="X-Frame-Options" value="DENY" /> /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */
        </customHeaders>
      </httpProtocol>
    
      ...
    </system.webServer>

  

HAProxy

The below code must be added to the server’s configuration:-

    rspadd X-Frame-Options:\ DENY /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */

  

Latest Articles