Description
The absence of the X-Frame-Options HTTP response header leaves a website vulnerable to click-jacking attacks. Without this header, attackers can embed the site’s content into malicious pages using iframes, potentially leading to phishing attacks or unauthorized transactions.
Recommendation
To mitigate this vulnerability, configure your server to send the X-Frame-Options header with an appropriate setting for all pages. Common settings include DENY, SAMEORIGIN, or ALLOW-FROM followed by a specific URI. Choose the setting that best fits your application’s requirements. Ensure proper testing to verify that the header is correctly implemented and enforced by all browsers.
References
- Mozilla: Web Security
- OWASP: Clickjacking
- Mozilla: X-Frame-Options
- OWASP: X-Frame-Options Header
- CWE-1021
- CWE-16
- OWASP 2021-A5