Skip to main content

X-Frame-Options header

Description

X-Frame-Options header is missing

Remediation

Add X-Frame-Options header.

GraphQL Specific

Apollo

To mitigate the risk of clickjacking attacks in the Apollo framework engine, ensure that the server sends the 'X-Frame-Options' HTTP header with a value of 'DENY' or 'SAMEORIGIN'. This header prevents the application's content from being embedded into other sites. Configure your web server or application to include this header in all responses with HTML content.

Yoga

To mitigate the risk of clickjacking attacks in the Yoga framework engine, set the 'X-Frame-Options' HTTP response header to 'DENY' or 'SAMEORIGIN'. This header prevents your webpages from being framed by other sites. Configure your server to include this header in all responses containing HTML content.

Awsappsync

To mitigate the risk of clickjacking attacks in the AWS AppSync framework, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' for all responses served by your AppSync API. This can be achieved by configuring a response mapping template to include the header, or by using a Lambda function or a proxy server that sets the header before forwarding the response to the client.

Graphqlgo

Implement the X-Frame-Options HTTP header in the GraphQL Go framework engine to control whether your application can be embedded into other websites. Set the header to 'DENY' to prevent any domain from framing your content, or to 'SAMEORIGIN' to allow framing only by pages on the same origin as the content itself. This can help mitigate clickjacking attacks.

Graphqlruby

To mitigate the risk of clickjacking attacks in a GraphQL Ruby framework engine, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN'. This can be done by configuring your Ruby on Rails application to include the header in the response. For example, in your application controller, you can add a before_action hook that sets the header: response.headers['X-Frame-Options'] = 'SAMEORIGIN'. This ensures that your application's content cannot be embedded into iframes on external sites when set to 'SAMEORIGIN', or at all when set to 'DENY'.

Hasura

Configure the Hasura engine to include the 'X-Frame-Options' HTTP header with the value 'DENY' or 'SAMEORIGIN' in its responses to prevent clickjacking attacks. This can be achieved by setting up a reverse proxy such as Nginx or Apache in front of Hasura and configuring the proxy to add the header, or by using a middleware in the Hasura web server if supported.

REST Specific

Asp_net

Implement the X-Frame-Options HTTP response header in your ASP.NET application to prevent clickjacking attacks. This can be done by adding the header in the web.config file or directly in your code.

Ruby_on_rails

In Ruby on Rails, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' by adding 'config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN' }' to the 'config/application.rb' file. This will prevent the app's content from being framed and protect against clickjacking attacks.

Next_js

In your Next.js application, set the X-Frame-Options HTTP header to DENY or SAMEORIGIN to prevent clickjacking attacks. You can do this by customizing the server configuration or by using Next.js middleware to add the header to all server responses.

Laravel

In Laravel, you can add the 'X-Frame-Options' header globally by using middleware. Create a new middleware with the command 'php artisan make:middleware AddXFrameOptionsHeader', then in the handle method of the generated class, add the header to the response using ' extbackslash{}Illuminate extbackslash{}Http extbackslash{}Response'. Finally, register the middleware in the 'app/Http/Kernel.php' file.

Express_js

In your Express.js application, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' to prevent clickjacking attacks. You can do this by using the 'helmet' middleware, which includes a module for setting this header. Install helmet with 'npm install helmet' and include it in your app with 'app.use(helmet.frameguard({ action: 'deny' }))' for denying all framing or 'app.use(helmet.frameguard({ action: 'sameorigin' }))' to allow framing by the same origin only.

Django

In your Django application, ensure that the 'X-Frame-Options' header is set by using the 'XFrameOptionsMiddleware'. Add 'django.middleware.clickjacking.XFrameOptionsMiddleware' to the 'MIDDLEWARE' setting in your settings.py file to enable it. This middleware will set the 'X-Frame-Options' header to 'DENY' by default, which prevents your website from being framed by any other site. If you need to allow framing by certain trusted origins, you can use the 'SAMEORIGIN' value or customize the behavior using the 'X_FRAME_OPTIONS' setting.

Symfony

In Symfony, enable the X-Frame-Options header by configuring it in your security.yaml or by setting the header directly in your response objects. For example, you can add frame-options: DENY or frame-options: SAMEORIGIN under the headers section in security.yaml to apply it globally, or use $response->headers->set('X-Frame-Options', 'DENY'); for an individual response.

Spring_boot

In a Spring Boot application, add the X-Frame-Options header to HTTP responses to prevent clickjacking attacks. Configure the HttpSecurity in your security configuration class by using the headers() method chain to include frameOptions().deny() or frameOptions().sameOrigin() based on your requirements.

Flask

In Flask, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' by adding it to the response headers. This can be done using the 'after_request' decorator to ensure all responses include the header. For example, use '@app.after_request def apply_xframe_options(response): response.headers['X-Frame-Options'] = 'SAMEORIGIN' return response' to apply it to all responses.

Nuxt

In your Nuxt.js application, ensure that the X-Frame-Options header is set to either DENY or SAMEORIGIN to prevent clickjacking attacks. You can achieve this by configuring your server settings or by using middleware to set the header for all responses.

Fastapi

In FastAPI, to mitigate clickjacking attacks by preventing your application from being embedded in an iframe, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN'. You can do this by using FastAPI's middleware functionality. For example, you can add a middleware that sets the 'X-Frame-Options' header for every response like this: app.add_middleware(Middleware, headers={'X-Frame-Options': 'SAMEORIGIN'}). Replace 'SAMEORIGIN' with 'DENY' if you want to block all framing attempts.

Configuration

Identifier: protocol/header_x_frame_options

Examples

Ignore this check

checks:
protocol/header_x_frame_options:
skip: true

Score

  • Escape Severity: LOW

Compliance

  • OWASP: API7:2023

  • pci: 6.5.10

  • gdpr: Article-32

  • soc2: CC1

  • psd2: Article-95

  • iso27001: A.14.2

  • nist: SP800-53

  • fedramp: AC-2

Classification

  • CWE: 16

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVSS_SCORE: 4.3