Skip to content

Protocol: X-Frame-Options header

Identifier: header_x_frame_options

Scanner(s) Support

GraphQL Scanner REST Scanner WebApp Scanner

Description

X-Frame-Options tells browsers whether your site should be allowed to be framed by other sites. This is important because if an attacker can force your site into an invisible frame on their page, they can trick users into clicking on hidden elements, a trick called clickjacking that might lead to unexpected actions like transferring funds or stealing credentials. The risk comes from either not setting this header or misconfiguring it, leaving your site open to abuse by hackers. Most developers overlook this header or use insecure settings, so ensuring you apply a strict setting like SAMEORIGIN or DENY helps protect your users from unwittingly interacting with hidden malicious content.

Configuration

Example

Example configuration:

---
security_tests:
  header_x_frame_options:
    assets_allowed:
    - REST
    - GRAPHQL
    - WEBAPP
    skip: false

Reference

assets_allowed

Type : List[AssetType]*

List of assets that this check will cover.

skip

Type : boolean

Skip the test if true.