Missing_X-Frame-Options
Description
The X-Frame-Options header helps prevent clickjacking attacks by controlling whether a web page can be displayed in a frame, iframe, or object. Without a proper X-Frame-Options policy (e.g., DENY or SAMEORIGIN), attackers may embed your application’s pages in a malicious site, tricking users into clicking hidden or disguised UI elements. This can result in unauthorized transactions, account compromises, or other harmful actions triggered under the guise of legitimate interactions. Ultimately, failing to set X-Frame-Options weakens the application’s protection against clickjacking and places user data, sessions, and actions at greater risk.
Remediation
Add the X-Frame-Options header to your server responses. Common directives include 'DENY' (disallow all framing) or 'SAMEORIGIN' (allow framing only from the same domain). If you need more granular control, consider using 'Content-Security-Policy: frame-ancestors' for modern browsers. Ensure that any reverse proxies, CDNs, or load balancers do not strip or override this header. Employ a Web Application Firewall (WAF) or intrusion detection system to detect and block suspicious framing attempts. Regularly audit your security headers and configurations to confirm that clickjacking defenses remain consistent and effective across all pages and environments.
References
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Optionshttps://owasp.org/www-project-secure-headers/#x-frame-optionshttps://owasp.org/www-community/attacks/ClickjackingSeverity
MEDIUMOwasp
Code: A05:2021
Category: Security Misconfiguration
Classification
4.3
4.2