HawkScan Test Info for X-Frame-Options Header Not Set

X-Frame-Options Header Not Set

Reference

Plugin Id: 10020 | CWE: 1021

Remediation

To mitigate the vulnerability “X-Frame-Options Header Not Set” and protect against “ClickJacking” attacks, the X-Frame-Options header should be included in the HTTP response. This header allows the website to control how it should be embedded in a frame or iframe by other websites. There are three possible values for the X-Frame-Options header:

  1. DENY: This value instructs the browser to not display the website in any frame or iframe.
    Header always set X-Frame-Options "DENY"
    
  2. SAMEORIGIN: This value allows the website to be displayed in frames or iframes that originate from the same domain.
    Header always set X-Frame-Options "SAMEORIGIN"
    
  3. ALLOW-FROM uri: This value allows the website to be displayed in frames or iframes that originate from the specified URI.
    Header always set X-Frame-Options "ALLOW-FROM https://example.com"
    

It is recommended to set the X-Frame-Options header to either DENY or SAMEORIGIN, depending on the specific requirements of the website.

About

The vulnerability “X-Frame-Options Header Not Set” occurs when the X-Frame-Options header is missing from the HTTP response. This header is a security measure that helps prevent “ClickJacking” attacks, where an attacker tricks a user into clicking on a malicious element disguised as a legitimate website. By including the X-Frame-Options header, the website can control how it should be embedded in frames or iframes on other websites, reducing the risk of such attacks.

Risks

If the X-Frame-Options header is not set, the website becomes vulnerable to “ClickJacking” attacks. An attacker can create a malicious website that embeds the target website in a frame or iframe, tricking users into performing actions on the target website without their knowledge. This can lead to various security issues, such as unauthorized access, data theft, or performing malicious actions on behalf of the user. By not including the X-Frame-Options header, the website exposes its users to these risks and compromises their security.