Insecure HTTP Header Setting: X-Frame-Options

Insecure HTTP Header Setting: X-Frame-Options

Risk: hardening

Description

The X-Frame-Options HTTP header field indicates a policy that specifies whether the browser should render the transmitted resource within a frame or an iframe. Servers can declare this policy in the header of their HTTP responses to prevent clickjacking attacks, which ensures that their content is not embedded into other pages or frames.

Recommendation

• Sending the proper X-Frame-Options in HTTP response headers instructing the browser not to allow framing from other domains.

  • X-Frame-Options: DENY It completely denies being loaded in frame/iframe.
  • X-Frame-Options: SAMEORIGIN allows only if the site which wants to load has the same origin.
  • X-Frame-Options: ALLOW-FROM URL grants a specific URL to load itself in an iframe. However, please pay attention to that; not all browsers support this.

• Employing defensive code in the UI to ensure that the current frame is the top-level window.

JavaScript

if (window !== window.top) {
    // Code is being executed within a frame
    // You may choose to handle this situation appropriately,
    // such as by redirecting the user to another page
    // or displaying a warning message.
    window.top.location.href = "about:blank"; 
}

Links

• X-Frame-Options

Standards

• OWASP_ASVS_L1:
  • V14_4_7
• OWASP_ASVS_L2:
  • V14_4_7
• OWASP_ASVS_L3:
  • V14_4_7
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_6_4
  • REQ_11_3