Missing or Permissive X-Frame-Options HTTP Response Header

Info Nessus Plugin ID 50345

Synopsis

The remote web server does not take steps to mitigate a class of web application vulnerabilities.

Description

The remote web server in some responses sets a permissive X-Frame-Options response header or does not set one at all.

The X-Frame-Options header has been proposed by Microsoft as a way to mitigate clickjacking attacks and is currently supported by all major browser vendors

Solution

Set a properly configured X-Frame-Options header for all requested resources.

See Also

https://en.wikipedia.org/wiki/Clickjacking

http://www.nessus.org/u?399b1f56

Plugin Details

Severity: Info

ID: 50345

File Name: http_X_Frame_Options_header.nasl

Version: Revision: 1.4

Type: remote

Family: CGI abuses

Published: 2010/10/26

Updated: 2017/05/16

Dependencies: 67257

Risk Information

Risk Factor: Info