Description

The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>. Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Content Security Policy (CSP) frame-ancestors directive obsoletes X-Frame-Options for supporting browsers.

X-Frame-Options header is only useful when the HTTP response where it is included has something to interact with (e.g. links, buttons). If the HTTP response is a redirect or an API returning JSON data, X-Frame-Options does not provide any security.

Recommendation

• Use Content Security Policy (CPS) frame-ancestors directive if possible.
• Do not allow displaying of the page in a frame
  X-Frame-Options: DENY

Discussion

No response

Motivation

This pops up in OWASP pen-tests conducted by big institutions.

Details

No response