Protocol: X-Frame-Options header¶

Identifier: header_x_frame_options

Scanner(s) Support¶

Description¶

X-Frame-Options tells browsers whether your site should be allowed to be framed by other sites. Without proper configuration, attackers can force your site into invisible frames and trick users into clicking hidden elements (clickjacking), potentially leading to unexpected actions like transferring funds or stealing credentials.

How we test: We analyze HTTP response headers to detect if the X-Frame-Options header is missing or misconfigured. We check if proper settings like SAMEORIGIN or DENY are applied to protect against clickjacking attacks.

Configuration¶

Example¶

Example configuration:

---
security_tests:
  header_x_frame_options:
    skip: false

Reference¶

skip¶

Type : boolean

Skip the test if true.