Skip to content

X-Frame-Options header

Description

X-Frame-Options header is missing

Remediation

Add X-Frame-Options header.

GraphQL Specific

Apollo To mitigate the risk of clickjacking attacks in the Apollo framework engine, ensure that the server sends the 'X-Frame-Options' HTTP header with a value of 'DENY' or 'SAMEORIGIN'. This header prevents the application's content from being embedded into other sites. Configure your web server or application to include this header in all responses with HTML content.
Yoga To mitigate the risk of clickjacking attacks in the Yoga framework engine, set the 'X-Frame-Options' HTTP response header to 'DENY' or 'SAMEORIGIN'. This header prevents your webpages from being framed by other sites. Configure your server to include this header in all responses containing HTML content.
Awsappsync To mitigate the risk of clickjacking attacks in the AWS AppSync framework, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' for all responses served by your AppSync API. This can be achieved by configuring a response mapping template to include the header, or by using a Lambda function or a proxy server that sets the header before forwarding the response to the client.
Graphqlgo Implement the X-Frame-Options HTTP header in the GraphQL Go framework engine to control whether your application can be embedded into other websites. Set the header to 'DENY' to prevent any domain from framing your content, or to 'SAMEORIGIN' to allow framing only by pages on the same origin as the content itself. This can help mitigate clickjacking attacks.
Graphqlruby To mitigate the risk of clickjacking attacks in a GraphQL Ruby framework engine, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN'. This can be done by configuring your Ruby on Rails application to include the header in the response. For example, in your application controller, you can add a before_action hook that sets the header: `response.headers['X-Frame-Options'] = 'SAMEORIGIN'`. This ensures that your application's content cannot be embedded into iframes on external sites when set to 'SAMEORIGIN', or at all when set to 'DENY'.
Hasura Configure the Hasura engine to include the 'X-Frame-Options' HTTP header with the value 'DENY' or 'SAMEORIGIN' in its responses to prevent clickjacking attacks. This can be achieved by setting up a reverse proxy such as Nginx or Apache in front of Hasura and configuring the proxy to add the header, or by using a middleware in the Hasura web server if supported.
Agoo Implement the 'X-Frame-Options' header in the Agoo framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Ariadne Implement the 'X-Frame-Options' header in the Ariadne framework engine to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Caliban Implement the 'X-Frame-Options' header in the Caliban framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Dgraph Implement the 'X-Frame-Options' header in the Dgraph framework engine to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Dianajl Implement the 'X-Frame-Options' header in the DianaJL framework engine to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Directus Implement the 'X-Frame-Options' header in the Directus framework to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Flutter Implement the 'X-Frame-Options' header in the server response to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the value.
Graphene Implement the 'X-Frame-Options' header in your Graphene framework engine by configuring your HTTP response headers to include 'X-Frame-Options: DENY' or 'X-Frame-Options: SAMEORIGIN' to prevent clickjacking attacks.
Graphqlapiforwp Implement the 'X-Frame-Options' header in the GraphQL API for WP framework to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Graphqlgophergo Implement the 'X-Frame-Options' header in the GraphQLGopherGo framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Graphqljava Implement the 'X-Frame-Options' header in the GraphQL Java framework engine to prevent clickjacking by setting it to 'DENY' or 'SAMEORIGIN' in the HTTP response headers.
Graphqlphp Implement the 'X-Frame-Options' header in the GraphQL PHP framework to prevent clickjacking by setting it to 'DENY' or 'SAMEORIGIN' in the HTTP response headers.
Graphqlyoga Implement the 'X-Frame-Options' header in the GraphQL Yoga framework to prevent clickjacking attacks by specifying 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM' with a trusted URL.
Hypergraphql Implement the 'X-Frame-Options' header in the HyperGraphQL framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Jaal Implement the 'X-Frame-Options' header in the Jaal framework engine to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Juniper Implement the 'X-Frame-Options' header in the Juniper framework engine to prevent clickjacking attacks by specifying 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM' with a trusted URL.
Lacinia Implement the 'X-Frame-Options' header in the Lacinia framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Lighthouse Implement the 'X-Frame-Options' header to prevent clickjacking by specifying 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM' with a trusted URL.
Mercurius Implement the 'X-Frame-Options' header in the Mercurius framework engine to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Morpheusgraphql Implement the 'X-Frame-Options' header in the Morpheus GraphQL framework engine to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Qglgen Implement input validation and sanitization in gqlgen resolvers to prevent injection attacks.
Sangria Implement the `X-Frame-Options` header in the Sangria framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Shopify Implement the 'X-Frame-Options' header in your Shopify theme by adding it to the HTTP response headers to prevent clickjacking attacks. You can set it to 'DENY' or 'SAMEORIGIN' depending on your requirements.
Stepzen Add the 'X-Frame-Options' header to your StepZen framework engine configuration to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the value.
Strawberry Implement the 'X-Frame-Options' header in the Strawberry framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Tartiflette Implement the 'X-Frame-Options' header in the Tartiflette framework engine to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Wpgraphql Implement the 'X-Frame-Options' header in the server configuration to prevent clickjacking attacks by specifying 'DENY' or 'SAMEORIGIN' as the value.

REST Specific

Asp_net Implement the X-Frame-Options HTTP response header in your ASP.NET application to prevent clickjacking attacks. This can be done by adding the header in the web.config file or directly in your code.
Ruby_on_rails In Ruby on Rails, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' by adding 'config.action_dispatch.default_headers = { 'X-Frame-Options' => 'SAMEORIGIN' }' to the 'config/application.rb' file. This will prevent the app's content from being framed and protect against clickjacking attacks.
Next_js In your Next.js application, set the `X-Frame-Options` HTTP header to `DENY` or `SAMEORIGIN` to prevent clickjacking attacks. You can do this by customizing the server configuration or by using Next.js middleware to add the header to all server responses.
Laravel In Laravel, you can add the 'X-Frame-Options' header globally by using middleware. Create a new middleware with the command 'php artisan make:middleware AddXFrameOptionsHeader', then in the handle method of the generated class, add the header to the response using ' extbackslash{}Illuminate extbackslash{}Http extbackslash{}Response'. Finally, register the middleware in the 'app/Http/Kernel.php' file.
Express_js In your Express.js application, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' to prevent clickjacking attacks. You can do this by using the 'helmet' middleware, which includes a module for setting this header. Install helmet with 'npm install helmet' and include it in your app with 'app.use(helmet.frameguard({ action: 'deny' }))' for denying all framing or 'app.use(helmet.frameguard({ action: 'sameorigin' }))' to allow framing by the same origin only.
Django In your Django application, ensure that the 'X-Frame-Options' header is set by using the 'XFrameOptionsMiddleware'. Add 'django.middleware.clickjacking.XFrameOptionsMiddleware' to the 'MIDDLEWARE' setting in your settings.py file to enable it. This middleware will set the 'X-Frame-Options' header to 'DENY' by default, which prevents your website from being framed by any other site. If you need to allow framing by certain trusted origins, you can use the 'SAMEORIGIN' value or customize the behavior using the 'X_FRAME_OPTIONS' setting.
Symfony In Symfony, enable the `X-Frame-Options` header by configuring it in your `security.yaml` or by setting the header directly in your response objects. For example, you can add `frame-options: DENY` or `frame-options: SAMEORIGIN` under the `headers` section in `security.yaml` to apply it globally, or use `$response->headers->set('X-Frame-Options', 'DENY');` for an individual response.
Spring_boot In a Spring Boot application, add the `X-Frame-Options` header to HTTP responses to prevent clickjacking attacks. Configure the `HttpSecurity` in your security configuration class by using the `headers()` method chain to include `frameOptions().deny()` or `frameOptions().sameOrigin()` based on your requirements.
Flask In Flask, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN' by adding it to the response headers. This can be done using the 'after_request' decorator to ensure all responses include the header. For example, use '@app.after_request def apply_xframe_options(response): response.headers['X-Frame-Options'] = 'SAMEORIGIN' return response' to apply it to all responses.
Nuxt In your Nuxt.js application, ensure that the `X-Frame-Options` header is set to either `DENY` or `SAMEORIGIN` to prevent clickjacking attacks. You can achieve this by configuring your server settings or by using middleware to set the header for all responses.
Fastapi In FastAPI, to mitigate clickjacking attacks by preventing your application from being embedded in an iframe, set the 'X-Frame-Options' header to 'DENY' or 'SAMEORIGIN'. You can do this by using FastAPI's middleware functionality. For example, you can add a middleware that sets the 'X-Frame-Options' header for every response like this: `app.add_middleware(Middleware, headers={'X-Frame-Options': 'SAMEORIGIN'})`. Replace 'SAMEORIGIN' with 'DENY' if you want to block all framing attempts.
Frappe Implement the 'X-Frame-Options' header in the Frappe framework to prevent clickjacking by setting it to 'DENY' or 'SAMEORIGIN' in the HTTP response headers.
Genzio Implement the 'X-Frame-Options' header in the Genzio framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Gin Add the X-Frame-Options header in the Gin framework by using middleware to set it to 'DENY' or 'SAMEORIGIN' to prevent clickjacking attacks.
Gorilla Implement the 'X-Frame-Options' header to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' in the Gorilla framework engine.
Hapi Add the `X-Frame-Options` header in the Hapi framework by using the `@hapi/helmet` plugin to set the header value to `DENY` or `SAMEORIGIN` to prevent clickjacking attacks.
Hono Implement the 'X-Frame-Options' header in the Hono framework engine to prevent clickjacking attacks by specifying 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM' with a trusted URL.
Jersey Add the 'X-Frame-Options' header to HTTP responses in the Jersey framework to prevent clickjacking attacks by specifying 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri' as the header value.
Koa Implement the 'koa-helmet' middleware to set the 'X-Frame-Options' header and enhance security by preventing clickjacking attacks.
Ktor Add the `X-Frame-Options` header to your Ktor application by configuring the HTTP response headers to include `X-Frame-Options: DENY` or `X-Frame-Options: SAMEORIGIN` to prevent clickjacking attacks.
Leptos Implement the `X-Frame-Options` header in the Leptos framework engine to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the header value.
Macaron Implement the 'X-Frame-Options' header in the Macaron framework by adding middleware to set the header value to 'DENY' or 'SAMEORIGIN' to prevent clickjacking attacks.
Phoenix Add the X-Frame-Options header in the Phoenix framework by using the Plug.SecureHeaders plug in your endpoint configuration to prevent clickjacking attacks.
Redwoodjs Add the `X-Frame-Options` header in the RedwoodJS server configuration to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the value.
Rocket Implement the 'X-Frame-Options' header in your Rocket framework application to prevent clickjacking attacks by specifying 'DENY', 'SAMEORIGIN', or 'ALLOW-FROM uri' as appropriate.
Sveltekit Add the `X-Frame-Options` header in the SvelteKit server configuration to prevent clickjacking by specifying 'DENY' or 'SAMEORIGIN' as the value.

Configuration

Identifier: protocol/header_x_frame_options

Examples

Ignore this check

checks:
  protocol/header_x_frame_options:
    skip: true

Score

  • Escape Severity:

Compliance

  • OWASP: API7:2023
  • OWASP LLM: LLM02:2023
  • pci: 6.5.10
  • gdpr: Article-32
  • soc2: CC1
  • psd2: Article-95
  • iso27001: A.14.2
  • nist: SP800-53
  • fedramp: AC-2

Classification

  • CWE: 16

Score

  • CVSS_VECTOR: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  • CVSS_SCORE: 4.3