The X-Frame-Options HTTP response header shows whether or not a web browser should be permitted to render a webpage in a < frame >, < iframe > or < object >. This header helps to stop clickjacking attacks by ensuring that the content is not embedded into other sites. Thus the site cannot ensure that their contents are not embedded in other websites. This vulnerability leads to many attacks like clickjacking.
One of the significant threat includes clickjacking. Clickjacking is a malicious technique of tricking an end-user into clicking on a link. This method will potentially reveal confidential information or an attacker can take control of their computer while clicking on seemingly innocuous web pages.
Beagle recommends the following measures:-
The below code must be added to the server’s configuration.
/* add any one of the three */
Header set X-Frame-Options DENY
Header always set X-Frame-Options SAMEORIGIN
Header set X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"
The below code must be added to the server’s configuration:-
/* add any one of the three */
add_header X-Frame-Options DENY;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options "ALLOW-FROM https://example.beaglesecurity.com/"
The below code must be added to the server’s configuration:-
/* add any one of the three */
<system.webServer>
...
<httpProtocol>
<customHeaders>
<add name="X-Frame-Options" value="DENY" /> /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */
</customHeaders>
</httpProtocol>
...
</system.webServer>
The below code must be added to the server’s configuration:-
rspadd X-Frame-Options:\ DENY /* value can be among DENY, SAMEORIGIN and ALLOW-FROM */