X-Frame-Options header not implemented

By
Rejah Rehim
Published on
05 Jun 2018
2 min read

The X-Frame-Options HTTP response header shows whether or not a web browser should be permitted to render a webpage in a < frame >, < iframe > or < object >. This header helps to stop clickjacking attacks by ensuring that the content is not embedded into other sites. Thus the site cannot ensure that their contents are not embedded in other websites. This vulnerability leads to many attacks like clickjacking.

Impact

One of the significant threat includes clickjacking. Clickjacking is a malicious technique of tricking an end-user into clicking on a link. This method will potentially reveal confidential information or an attacker can take control of their computer while clicking on seemingly innocuous web pages.

Mitigation / Precaution

Beagle recommends the following measures:-

  • Implement X-Frame-Options
  • The possible types are:-
    • SAMEORIGIN - It allows the current site to frame the content.
    • DENY - This header prevents any domain from framing the content.
    • ALLOW-FROM URI - Permits specified URI
  • Add HTTP response manually to every page.

Apache

The below code must be added to the server’s configuration.

    /* add any one of the three */
    Header set X-Frame-Options DENY
    Header always set X-Frame-Options SAMEORIGIN
    Header set X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

Nginx

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    add_header X-Frame-Options DENY;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"

  

IIS

The below code must be added to the server’s configuration:-

    /* add any one of the three */
    <system.webServer>
      ...
    
      <httpProtocol>
        <customHeaders>
          <add name="X-Frame-Options" value="DENY" /> /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */
        </customHeaders>
      </httpProtocol>
    
      ...
    </system.webServer>

  

HAProxy

The below code must be added to the server’s configuration:-

    rspadd X-Frame-Options:\ DENY /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */

  
Automated human-like penetration testing for your web apps & APIs
Teams using Beagle Security are set up in minutes, embrace release-based CI/CD security testing and save up to 65% with timely remediation of vulnerabilities. Sign up for a free account to see what it can do for you.

Written by
Rejah Rehim
Rejah Rehim
Co-founder, Director
Find website security issues in a flash
Improve your website's security posture with proactive vulnerability detection.
Free website security assessment
Experience the power of automated penetration testing & contextual reporting.