Security Test: X-Frame-Options header¶

Description¶

Default Severity:

X-Frame-Options tells browsers whether your site should be allowed to be framed by other sites. This is important because if an attacker can force your site into an invisible frame on their page, they can trick users into clicking on hidden elements, a trick called clickjacking that might lead to unexpected actions like transferring funds or stealing credentials. The risk comes from either not setting this header or misconfiguring it, leaving your site open to abuse by hackers. Most developers overlook this header or use insecure settings, so ensuring you apply a strict setting like SAMEORIGIN or DENY helps protect your users from unwittingly interacting with hidden malicious content.

Configuration¶

Identifier: protocol/header_x_frame_options

Examples¶

All configuration available:

checks:
  protocol/header_x_frame_options:
    skip: false # default

Compliance and Standards¶

Standard	Value
OWASP API Top 10	API7:2023
OWASP LLM Top 10	LLM02:2023
PCI DSS	`6.5.10`
GDPR	`Article-32`
SOC2	`CC1`
PSD2	`Article-95`
ISO 27001	`A.14.2`
NIST	`SP800-53`
FedRAMP	`AC-2`
CWE	`16`
CVSS Vector	`AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
CVSS Score	`4.3`